Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rpzOeQ5QzX.exe

Overview

General Information

Sample name:rpzOeQ5QzX.exe
renamed because original name is a hash value
Original sample name:cc3ac85b3c5690d542ed9f3266b9bd83.exe
Analysis ID:1444673
MD5:cc3ac85b3c5690d542ed9f3266b9bd83
SHA1:af14f36d9412a1c79453a622a5ad343cc01ca6f7
SHA256:8eb33da353d3756d8cd4cb9308fd5ef72a9b35441bec41fd17c3f3ee508ea9ab
Tags:32exetrojan
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rpzOeQ5QzX.exe (PID: 3328 cmdline: "C:\Users\user\Desktop\rpzOeQ5QzX.exe" MD5: CC3AC85B3C5690D542ED9F3266B9BD83)
    • cmd.exe (PID: 2360 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hvjnshqw\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5096 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xnjytljr.exe" C:\Windows\SysWOW64\hvjnshqw\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2248 cmdline: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 3748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2300 cmdline: "C:\Windows\System32\sc.exe" description hvjnshqw "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4852 cmdline: "C:\Windows\System32\sc.exe" start hvjnshqw MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 4904 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1184 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • xnjytljr.exe (PID: 6788 cmdline: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d"C:\Users\user\Desktop\rpzOeQ5QzX.exe" MD5: 75240FF630B9C24DB13964D6E038456F)
    • svchost.exe (PID: 2244 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 1096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 548 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3224 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 1172 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6788 -ip 6788 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2716 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3328 -ip 3328 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6568 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: Tofsee

{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2134681317.00000000007CC000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x5129:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
    • 0xed10:$s2: loader_id
    • 0xed40:$s3: start_srv
    • 0xed70:$s4: lid_file_upd
    • 0xed64:$s5: localcfg
    • 0xf494:$s6: Incorrect respons
    • 0xf574:$s7: mx connect error
    • 0xf4f0:$s8: Error sending command (sent = %d/%d)
    • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.xnjytljr.exe.5f0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.2.xnjytljr.exe.5f0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.xnjytljr.exe.770000.2.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.xnjytljr.exe.770000.2.raw.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.xnjytljr.exe.770000.2.raw.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
        • 0x10310:$s2: loader_id
        • 0x10340:$s3: start_srv
        • 0x10370:$s4: lid_file_upd
        • 0x10364:$s5: localcfg
        • 0x10a94:$s6: Incorrect respons
        • 0x10b74:$s7: mx connect error
        • 0x10af0:$s8: Error sending command (sent = %d/%d)
        • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspect Svchost Activity
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d"C:\Users\user\Desktop\rpzOeQ5QzX.exe", ParentImage: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe, ParentProcessId: 6788, ParentProcessName: xnjytljr.exe, ProcessCommandLine: svchost.exe, ProcessId: 2244, ProcessName: svchost.exe
        Sigma detected: Suspicious New Service Creation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\rpzOeQ5QzX.exe", ParentImage: C:\Users\user\Desktop\rpzOeQ5QzX.exe, ParentProcessId: 3328, ParentProcessName: rpzOeQ5QzX.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2248, ProcessName: sc.exe
        Sigma detected: Suspicious Outbound SMTP Connections
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.47.54.36, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 2244, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49700
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d"C:\Users\user\Desktop\rpzOeQ5QzX.exe", ParentImage: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe, ParentProcessId: 6788, ParentProcessName: xnjytljr.exe, ProcessCommandLine: svchost.exe, ProcessId: 2244, ProcessName: svchost.exe
        Sigma detected: Windows Defender Exclusions Added - Registry
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2244, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\hvjnshqw
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\rpzOeQ5QzX.exe", ParentImage: C:\Users\user\Desktop\rpzOeQ5QzX.exe, ParentProcessId: 3328, ParentProcessName: rpzOeQ5QzX.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2248, ProcessName: sc.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3224, ProcessName: svchost.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: rpzOeQ5QzX.exeAvira: detected
        Antivirus detection for URL or domain
        Source: vanaheim.cn:443URL Reputation: Label: malware
        Source: jotunheim.name:443URL Reputation: Label: malware
        Source: jotunheim.name:443URL Reputation: Label: malware
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\xnjytljr.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
        Found malware configuration
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Multi AV Scanner detection for domain / URL
        Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
        Multi AV Scanner detection for submitted file
        Source: rpzOeQ5QzX.exeVirustotal: Detection: 38%Perma Link
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\xnjytljr.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: rpzOeQ5QzX.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeUnpacked PE file: 0.2.rpzOeQ5QzX.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeUnpacked PE file: 12.2.xnjytljr.exe.400000.0.unpack
        Source: rpzOeQ5QzX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Adds extensions / path to Windows Defender exclusion list (Registry)
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\hvjnshqwJump to behavior

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.184.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 141.8.199.94 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 98.136.96.91 98.136.96.91
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 104.47.54.36 104.47.54.36
        Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: global trafficTCP traffic: 192.168.2.6:49700 -> 104.47.54.36:25
        Source: global trafficTCP traffic: 192.168.2.6:49708 -> 98.136.96.91:25
        Source: global trafficTCP traffic: 192.168.2.6:49709 -> 64.233.184.27:25
        Source: global trafficTCP traffic: 192.168.2.6:49712 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rpzOeQ5QzX.exe PID: 3328, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xnjytljr.exe PID: 6788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2244, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 12.2.xnjytljr.exe.5f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xnjytljr.exe.5f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.xnjytljr.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.xnjytljr.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2134681317.00000000007CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2134977363.00000000005CE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00401280 ShellExecuteExW,LocalAlloc,VirtualProtect,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\hvjnshqw\Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_02B4C91316_2_02B4C913
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: String function: 020A27AB appears 35 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6788 -ip 6788
        Source: rpzOeQ5QzX.exe, 00000000.00000002.2134878632.0000000000475000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesFilezera> vs rpzOeQ5QzX.exe
        Source: rpzOeQ5QzX.exe, 00000000.00000002.2134995554.00000000005E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesFilezera> vs rpzOeQ5QzX.exe
        Source: rpzOeQ5QzX.exeBinary or memory string: OriginalFilenamesFilezera> vs rpzOeQ5QzX.exe
        Source: rpzOeQ5QzX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 12.2.xnjytljr.exe.5f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xnjytljr.exe.5f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.xnjytljr.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.xnjytljr.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2134681317.00000000007CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2134977363.00000000005CE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@9/5
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_005D2DFF CreateToolhelp32Snapshot,Module32First,0_2_005D2DFF
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_02B49A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_02B49A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:1172:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1616:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2716:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2304:120:WilError_03
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeFile created: C:\Users\user\AppData\Local\Temp\xnjytljr.exeJump to behavior
        Source: rpzOeQ5QzX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: rpzOeQ5QzX.exeVirustotal: Detection: 38%
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeFile read: C:\Users\user\Desktop\rpzOeQ5QzX.exeJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-15112
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14900
        Source: unknownProcess created: C:\Users\user\Desktop\rpzOeQ5QzX.exe "C:\Users\user\Desktop\rpzOeQ5QzX.exe"
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hvjnshqw\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xnjytljr.exe" C:\Windows\SysWOW64\hvjnshqw\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description hvjnshqw "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start hvjnshqw
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d"C:\Users\user\Desktop\rpzOeQ5QzX.exe"
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6788 -ip 6788
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3328 -ip 3328
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 548
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1184
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hvjnshqw\Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xnjytljr.exe" C:\Windows\SysWOW64\hvjnshqw\Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description hvjnshqw "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start hvjnshqwJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6788 -ip 6788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3328 -ip 3328Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 548Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1184Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: rpzOeQ5QzX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeUnpacked PE file: 0.2.rpzOeQ5QzX.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeUnpacked PE file: 12.2.xnjytljr.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeUnpacked PE file: 0.2.rpzOeQ5QzX.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeUnpacked PE file: 12.2.xnjytljr.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_007E1C6F push ss; iretd 12_2_007E1C72

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeFile created: C:\Users\user\AppData\Local\Temp\xnjytljr.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hvjnshqwJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\rpzoeq5qzx.exeJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,16_2_02B4199C
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15525
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15345
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_16-7600
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_16-6135
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15323
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15497
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_16-7322
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15084
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14913
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15128
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeAPI coverage: 5.6 %
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeAPI coverage: 4.1 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 2084Thread sleep count: 37 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 2084Thread sleep time: -37000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000010.00000002.3360971175.0000000003000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeAPI call chain: ExitProcess graph end nodegraph_0-15335

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_16-7661
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_005D26DC push dword ptr fs:[00000030h]0_2_005D26DC
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_020A092B mov eax, dword ptr fs:[00000030h]0_2_020A092B
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_020A0D90 mov eax, dword ptr fs:[00000030h]0_2_020A0D90
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_005F092B mov eax, dword ptr fs:[00000030h]12_2_005F092B
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_005F0D90 mov eax, dword ptr fs:[00000030h]12_2_005F0D90
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_007D0A34 push dword ptr fs:[00000030h]12_2_007D0A34
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_02B49A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,16_2_02B49A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.184.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 141.8.199.94 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2B40000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B40000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B40000Jump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D0B008Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hvjnshqw\Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xnjytljr.exe" C:\Windows\SysWOW64\hvjnshqw\Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description hvjnshqw "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start hvjnshqwJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6788 -ip 6788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3328 -ip 3328Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 548Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1184Jump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rpzOeQ5QzX.exe PID: 3328, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xnjytljr.exe PID: 6788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2244, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 12.2.xnjytljr.exe.770000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.770000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.2b40000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 16.2.svchost.exe.2b40000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.rpzOeQ5QzX.exe.20a0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.xnjytljr.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.rpzOeQ5QzX.exe.20c0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.xnjytljr.exe.610000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: rpzOeQ5QzX.exe PID: 3328, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: xnjytljr.exe PID: 6788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2244, type: MEMORYSTR
        Source: C:\Users\user\Desktop\rpzOeQ5QzX.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_02B488B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,16_2_02B488B0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		41
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution        		14
        Windows Service        		1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service        		2
        Software Packing        		NTDS15
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets111
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion        		Cached Domain Credentials11
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444673 Sample: rpzOeQ5QzX.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 6 other IPs or domains 2->57 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 8 xnjytljr.exe 2->8         started        11 rpzOeQ5QzX.exe 2 2->11         started        14 svchost.exe 6 8 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Writes to foreign memory regions 8->85 91 2 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\xnjytljr.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta7.am0.yahoodns.net 98.136.96.91, 25 YAHOO-NE1US United States 18->59 61 vanaheim.cn 141.8.199.94, 443, 49701, 49710 SPRINTHOSTRU Russian Federation 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\xnjytljr.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        rpzOeQ5QzX.exe38%VirustotalBrowse
        rpzOeQ5QzX.exe100%AviraHEUR/AGEN.1311176
        rpzOeQ5QzX.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\xnjytljr.exe100%AviraTR/Crypt.EPACK.Gen2
        C:\Users\user\AppData\Local\Temp\xnjytljr.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        mxs.mail.ru0%VirustotalBrowse
        mta7.am0.yahoodns.net1%VirustotalBrowse
        microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
        vanaheim.cn15%VirustotalBrowse
        smtp.google.com0%VirustotalBrowse
        mail.ru0%VirustotalBrowse
        google.com1%VirustotalBrowse
        yahoo.com1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%URL Reputationmalware
        jotunheim.name:443100%URL Reputationmalware
        jotunheim.name:443100%URL Reputationmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        		217.69.139.150
        		truetrueunknown
        mta7.am0.yahoodns.net
        		98.136.96.91
        		truetrueunknown
        microsoft-com.mail.protection.outlook.com
        		104.47.54.36
        		truetrueunknown
        vanaheim.cn
        		141.8.199.94
        		truetrueunknown
        smtp.google.com
        		64.233.184.27
        		truefalseunknown
        google.com
        		unknown
        		unknowntrueunknown
        yahoo.com
        		unknown
        		unknowntrueunknown
        mail.ru
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        vanaheim.cn:443true
        • URL Reputation: malware
        		unknown
        jotunheim.name:443true
        • URL Reputation: malware
        • URL Reputation: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        64.233.184.27
        		smtp.google.comUnited States
        		15169GOOGLEUSfalse
        141.8.199.94
        		vanaheim.cnRussian Federation
        		35278SPRINTHOSTRUtrue
        98.136.96.91
        		mta7.am0.yahoodns.netUnited States
        		36646YAHOO-NE1UStrue
        217.69.139.150
        		mxs.mail.ruRussian Federation
        		47764MAILRU-ASMailRuRUtrue
        104.47.54.36
        		microsoft-com.mail.protection.outlook.comUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1444673
        Start date and time:2024-05-21 04:39:09 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 19s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:24
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:rpzOeQ5QzX.exe
        renamed because original name is a hash value
        Original Sample Name:cc3ac85b3c5690d542ed9f3266b9bd83.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@32/3@9/5
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 63
        • Number of non-executed functions: 260
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.236.44.162, 20.231.239.246, 20.76.201.171, 20.70.246.20
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:40:44API Interceptor9x Sleep call for process: svchost.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        98.136.96.91newtpp.exeGet hashmaliciousPhorpiexBrowse
          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
            file.exeGet hashmaliciousPhorpiex, XmrigBrowse
              .exeGet hashmaliciousUnknownBrowse
                l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                  message.txt.exeGet hashmaliciousUnknownBrowse
                    test.dat.exeGet hashmaliciousUnknownBrowse
                      Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                        Update-KB5058-x86.exeGet hashmaliciousUnknownBrowse
                          Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                            217.69.139.150OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                              G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                  x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                    EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                      OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                        0bv3c9AqYs.exeGet hashmaliciousPushdoBrowse
                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                            CX17SY6xF6.exeGet hashmaliciousPushdoBrowse
                                              PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                104.47.54.36DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                  kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                        file.exeGet hashmaliciousTofseeBrowse
                                                          U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                            bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                              t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                SecuriteInfo.com.Win32.TrojanX-gen.11678.1633.exeGet hashmaliciousTofseeBrowse
                                                                  SecuriteInfo.com.Win32.TrojanX-gen.5284.17028.exeGet hashmaliciousTofseeBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    microsoft-com.mail.protection.outlook.comOgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                                                    • 52.101.11.0
                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.40.26
                                                                    bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.54.36
                                                                    vanaheim.cnOgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 109.107.161.150
                                                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                    • 85.208.208.90
                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.138.239
                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                    • 5.188.88.112
                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                    • 5.188.88.112
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 5.188.88.112
                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                    • 194.169.163.56
                                                                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                    • 194.169.163.56
                                                                    bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                    • 194.169.163.56
                                                                    t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                    • 194.169.163.56
                                                                    mxs.mail.ruOgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                    • 94.100.180.31
                                                                    G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                    • 217.69.139.150
                                                                    x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                    • 217.69.139.150
                                                                    gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 94.100.180.31
                                                                    PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                                    • 217.69.139.150
                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                    • 217.69.139.150
                                                                    rLDmqbpt5D.exeGet hashmaliciousPushdo, DanaBot, RedLine, SmokeLoaderBrowse
                                                                    • 94.100.180.31
                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                    • 94.100.180.31
                                                                    file.exeGet hashmaliciousPushdo, DanaBot, SmokeLoaderBrowse
                                                                    • 217.69.139.150
                                                                    mta7.am0.yahoodns.netSecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.228.94
                                                                    SecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.204.73
                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.228.111
                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 98.136.96.77
                                                                    RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                    • 67.195.204.79
                                                                    3pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                                                    • 98.136.96.77
                                                                    newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 98.136.96.91
                                                                    7b8wRbnmKu.exeGet hashmaliciousUnknownBrowse
                                                                    • 67.195.204.79
                                                                    file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                    • 67.195.204.79
                                                                    l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 98.136.96.76

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    MAILRU-ASMailRuRUuUyFtCTKDd.elfGet hashmaliciousMiraiBrowse
                                                                    • 94.100.184.243
                                                                    https://www.ixxin.cn/go.html?url=https://ok.me/b5SG1?M6bxrJ9vlWS?MtRgHryntBJGet hashmaliciousGRQ ScamBrowse
                                                                    • 217.20.155.6
                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    c40snYcuW6.elfGet hashmaliciousMiraiBrowse
                                                                    • 5.61.23.80
                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                    • 217.69.134.17
                                                                    SkM9yWax29.elfGet hashmaliciousMiraiBrowse
                                                                    • 178.237.22.126
                                                                    base.apkGet hashmaliciousAnubis BankBotBrowse
                                                                    • 178.237.20.131
                                                                    UD6c1o6Fhg.elfGet hashmaliciousMiraiBrowse
                                                                    • 94.100.184.227
                                                                    BSKbaZ6Mij.elfGet hashmaliciousMiraiBrowse
                                                                    • 94.100.184.245
                                                                    https://cloud.mail.ru/stock/hG498Pfe7uJ1fEVeN7iTtbHoGet hashmaliciousHTMLPhisherBrowse
                                                                    • 5.61.23.11
                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://flow.page/ladobedocsGet hashmaliciousHTMLPhisherBrowse
                                                                    • 52.98.179.50
                                                                    n6N8r2RjfaGet hashmaliciousUnknownBrowse
                                                                    • 52.109.76.243
                                                                    SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.31526.29136.xlsxGet hashmaliciousUnknownBrowse
                                                                    • 13.107.213.45
                                                                    https://winrocket07.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                    • 13.107.246.60
                                                                    https://zoom.us/downloadGet hashmaliciousUnknownBrowse
                                                                    • 13.107.213.45
                                                                    https://20maymic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                    • 13.107.246.60
                                                                    https://serviappnrems122.z20.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                                    • 13.107.213.67
                                                                    phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                    • 13.107.136.10
                                                                    Setup (1).exeGet hashmaliciousUnknownBrowse
                                                                    • 52.182.141.63
                                                                    https://moeteduvn-my.sharepoint.com/:w:/g/personal/nguyenhahuy_c1lvt_cs_gli_moet_edu_vn/Ec0DZcnxoTZGvZEQ93EU3cIBwjF1awEF63hDOlCQZZIozA?e=4%3aFNLNv7&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                    • 13.107.136.10
                                                                    SPRINTHOSTRUckx1nc2UXk.exeGet hashmaliciousBlank Grabber, DCRat, Umbral Stealer, XWormBrowse
                                                                    • 141.8.192.103
                                                                    qxHQmnOvjL.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.195.33
                                                                    9hupFTW1CI.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.192.93
                                                                    l35QvlkTXb.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.197.42
                                                                    WVswy22Yv1.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.192.169
                                                                    Se7CZnlXZZ.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                    • 141.8.192.82
                                                                    R29s0ssNyZ.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.192.126
                                                                    nXaujG6G1F.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                    • 141.8.192.103
                                                                    n0mtzNARob.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.197.42
                                                                    7NJyHYJtVX.exeGet hashmaliciousDCRatBrowse
                                                                    • 141.8.192.217
                                                                    YAHOO-NE1USV#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                                                    • 74.6.231.20
                                                                    vylI38MZOn.elfGet hashmaliciousMiraiBrowse
                                                                    • 98.137.87.64
                                                                    https://www.canva.com/design/DAGDiia04Xg/_SQxN5BXpIl2RgDD44fATw/edit?utm_content=DAGDiia04Xg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                    • 98.137.155.8
                                                                    P5uKPY120j.elfGet hashmaliciousMiraiBrowse
                                                                    • 216.252.107.75
                                                                    806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                                                                    • 98.137.155.8
                                                                    https://xsetlp3sattty7yhmls.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.231.20
                                                                    https://ioa.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2FpasswordIP:Get hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.231.18
                                                                    https://trhj.pages.dev/IP:Get hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.231.18
                                                                    K7HXpfSHdt.elfGet hashmaliciousMirai, MoobotBrowse
                                                                    • 98.138.128.222
                                                                    xktih0mnmY.elfGet hashmaliciousMirai, GafgytBrowse
                                                                    • 98.137.87.74

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\xnjytljr.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\rpzOeQ5QzX.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):13172736
                                                                    Entropy (8bit):4.853911281115108
                                                                    Encrypted:false
                                                                    SSDEEP:24576:r2qdjVTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTz:6A
                                                                    MD5:75240FF630B9C24DB13964D6E038456F
                                                                    SHA1:924DEC401F19FF9784D31D3977E239C09DC60698
                                                                    SHA-256:9517E02509B449885F786A820BAC0D8388B189063D26263FA4E7A2AF23F3F50F
                                                                    SHA-512:E7031B48F8D58876D8D677C75FBA8AC717C200FD8CBF2138B773CF97D9D47E93466E136B098DF9D275EC02E2D6C809EC78D16F1B0F97F09741F2AE4FA37670DB
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.R.uu<.uu<.uu<.x'..mu<.x'...u<.x'..Ru<.|...ru<.uu=..u<.....tu<.x'..tu<.....tu<.Richuu<.........PE..L...L+^e.............................8............@................................../.......................................P..P....P...v...........................Q..............................`F..@...............X............................text...C........................... ..`.rdata..xh.......j..................@..@.data........`...n...J..............@....rsrc....v...P...H..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe (copy)

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):13172736
                                                                    Entropy (8bit):4.853911281115108
                                                                    Encrypted:false
                                                                    SSDEEP:24576:r2qdjVTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTz:6A
                                                                    MD5:75240FF630B9C24DB13964D6E038456F
                                                                    SHA1:924DEC401F19FF9784D31D3977E239C09DC60698
                                                                    SHA-256:9517E02509B449885F786A820BAC0D8388B189063D26263FA4E7A2AF23F3F50F
                                                                    SHA-512:E7031B48F8D58876D8D677C75FBA8AC717C200FD8CBF2138B773CF97D9D47E93466E136B098DF9D275EC02E2D6C809EC78D16F1B0F97F09741F2AE4FA37670DB
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.R.uu<.uu<.uu<.x'..mu<.x'...u<.x'..Ru<.|...ru<.uu=..u<.....tu<.x'..tu<.....tu<.Richuu<.........PE..L...L+^e.............................8............@................................../.......................................P..P....P...v...........................Q..............................`F..@...............X............................text...C........................... ..`.rdata..xh.......j..................@..@.data........`...n...J..............@....rsrc....v...P...H..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                    \Device\ConDrv

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3773
                                                                    Entropy (8bit):4.7109073551842435
                                                                    Encrypted:false
                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                    Malicious:false
                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.081028628224185
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:rpzOeQ5QzX.exe
                                                                    File size:208'896 bytes
                                                                    MD5:cc3ac85b3c5690d542ed9f3266b9bd83
                                                                    SHA1:af14f36d9412a1c79453a622a5ad343cc01ca6f7
                                                                    SHA256:8eb33da353d3756d8cd4cb9308fd5ef72a9b35441bec41fd17c3f3ee508ea9ab
                                                                    SHA512:f250d0f37cd513dd6e647355bd1940d7210093eb27a1bf2d6dbe6ef8673af731c7dccef24c9948a36ac4e06a18803c9082fb7db7ba59a5ecbf94d064981c6a74
                                                                    SSDEEP:3072:hpBsWcSkjvEOx+ss6IR15t471Z6/MJlJnmd772g+iBGLYS:h87S4PIj54brGj+i6Y
                                                                    TLSH:B114BE1276E184B0F67786329971CA515A3FFCA299758A5B33D8234E1C707C09B26BB3
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.R.uu<.uu<.uu<.x'..mu<.x'...u<.x'..Ru<.|...ru<.uu=..u<.....tu<.x'..tu<.....tu<.Richuu<.........PE..L...L+^e...................

                                                                    File Icon

                                                                    Icon Hash:754145110244484b

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4038c3
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x655E2B4C [Wed Nov 22 16:24:44 2023 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:be6912d7f98e28f6fe62d68348833ccb

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007F09D135F05Ch
                                                                    jmp 00007F09D135AFD4h
                                                                    cmp ecx, dword ptr [00416C08h]
                                                                    jne 00007F09D135B154h
                                                                    rep ret
                                                                    jmp 00007F09D135F1CBh
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    sub esp, 20h
                                                                    push esi
                                                                    push edi
                                                                    push 00000008h
                                                                    pop ecx
                                                                    mov esi, 00410030h
                                                                    lea edi, dword ptr [ebp-20h]
                                                                    rep movsd
                                                                    mov esi, dword ptr [ebp+0Ch]
                                                                    mov edi, dword ptr [ebp+08h]
                                                                    test esi, esi
                                                                    je 00007F09D135B165h
                                                                    test byte ptr [esi], 00000010h
                                                                    je 00007F09D135B160h
                                                                    mov ecx, dword ptr [edi]
                                                                    sub ecx, 04h
                                                                    push ecx
                                                                    mov eax, dword ptr [ecx]
                                                                    mov esi, dword ptr [eax+18h]
                                                                    call dword ptr [eax+20h]
                                                                    mov dword ptr [ebp-08h], edi
                                                                    mov dword ptr [ebp-04h], esi
                                                                    test esi, esi
                                                                    je 00007F09D135B15Eh
                                                                    test byte ptr [esi], 00000008h
                                                                    je 00007F09D135B159h
                                                                    mov dword ptr [ebp-0Ch], 01994000h
                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                    push eax
                                                                    push dword ptr [ebp-10h]
                                                                    push dword ptr [ebp-1Ch]
                                                                    push dword ptr [ebp-20h]
                                                                    call dword ptr [0040F090h]
                                                                    pop edi
                                                                    pop esi
                                                                    mov esp, ebp
                                                                    pop ebp
                                                                    retn 0008h
                                                                    push eax
                                                                    push dword ptr fs:[00000000h]
                                                                    lea eax, dword ptr [esp+0Ch]
                                                                    sub esp, dword ptr [esp+0Ch]
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    mov dword ptr [eax], ebp
                                                                    mov ebp, eax
                                                                    mov eax, dword ptr [00416C08h]
                                                                    xor eax, ebp
                                                                    push eax
                                                                    mov dword ptr [ebp-10h], esp
                                                                    push dword ptr [ebp-04h]
                                                                    mov dword ptr [ebp-04h], FFFFFFFFh
                                                                    lea eax, dword ptr [ebp-0Ch]
                                                                    mov dword ptr fs:[00000000h], eax
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    cld
                                                                    mov esi, dword ptr [ebp+0Ch]
                                                                    mov ecx, dword ptr [esi+08h]
                                                                    xor ecx, esi
                                                                    call 00007F09D135B09Bh
                                                                    push 00000000h
                                                                    push esi

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ASM] VS2013 build 21005
                                                                    • [ C ] VS2013 build 21005
                                                                    • [C++] VS2013 build 21005
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [RES] VS2013 build 21005
                                                                    • [LNK] VS2013 UPD5 build 40629

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x150bc0x50.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x750000x76f8.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x1510c0x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x146600x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0xf0000x158.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000xda430xdc004d0c19d46862ba8790611d5ebf74a48bFalse0.6017933238636364data6.691347110625469IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0xf0000x68780x6a0053f2b9223c05cdc93960f244eb6c8351False0.38277564858490565data4.718321390297875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x160000x5e4c00x16e00a96898572ff97649388bb2fefbb7c9f6False0.9101135587431693data7.69885469348813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x750000x76f80x7800a1dd299673d24addc503e28a8707735eFalse0.47369791666666666data4.793640659331149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    AFX_DIALOG_LAYOUT0x7b2800x2data5.0
                                                                    RT_CURSOR0x7b2880x330Device independent bitmap graphic, 48 x 96 x 1, image size 00.1948529411764706
                                                                    RT_CURSOR0x7b5b80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.33223684210526316
                                                                    RT_ICON0x753e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.43630063965884863
                                                                    RT_ICON0x762880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.5487364620938628
                                                                    RT_ICON0x76b300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.5881336405529954
                                                                    RT_ICON0x771f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.6011560693641619
                                                                    RT_ICON0x777600x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.44439834024896263
                                                                    RT_ICON0x79d080x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.49437148217636023
                                                                    RT_ICON0x7adb00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.5230496453900709
                                                                    RT_STRING0x7b9680x44edataJapaneseJapan0.4573502722323049
                                                                    RT_STRING0x7bdb80x69edataJapaneseJapan0.43211334120425027
                                                                    RT_STRING0x7c4580x29adataJapaneseJapan0.4864864864864865
                                                                    RT_GROUP_CURSOR0x7b6e80x22data1.0294117647058822
                                                                    RT_GROUP_ICON0x7b2180x68dataJapaneseJapan0.6826923076923077
                                                                    RT_VERSION0x7b7100x258data0.535

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllCreateEventA, WriteConsoleW, IsBadStringPtrA, GetLastError, SetLastError, GetProcAddress, RemoveDirectoryA, LoadLibraryA, GetVolumeInformationA, LocalAlloc, GetNumberFormatW, CreateEventW, GetModuleFileNameA, LoadLibraryExA, GetCommTimeouts, BuildCommDCBA, VirtualProtect, SetFileAttributesW, GetSystemDirectoryW, GetConsoleAliasA, GetTickCount, WriteConsoleA, SetComputerNameExA, EncodePointer, DecodePointer, HeapReAlloc, ExitProcess, GetModuleHandleExW, MultiByteToWideChar, WideCharToMultiByte, GetCommandLineW, RaiseException, RtlUnwind, IsProcessorFeaturePresent, HeapAlloc, IsDebuggerPresent, ReadFile, HeapSize, HeapFree, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, CloseHandle, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetStdHandle, WriteFile, GetModuleFileNameW, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCurrentThreadId, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetFilePointerEx, GetConsoleMode, LCMapStringW, SetStdHandle, FlushFileBuffers, GetConsoleCP, OutputDebugStringW, GetStringTypeW, CreateFileW
                                                                    GDI32.dllGetBoundsRect, GetCharWidthI
                                                                    ADVAPI32.dllReadEventLogW

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    JapaneseJapan

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 21, 2024 04:40:02.832304001 CEST4970025192.168.2.6104.47.54.36
                                                                    May 21, 2024 04:40:03.846759081 CEST4970025192.168.2.6104.47.54.36
                                                                    May 21, 2024 04:40:05.780283928 CEST49701443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:40:05.780376911 CEST44349701141.8.199.94192.168.2.6
                                                                    May 21, 2024 04:40:05.780498028 CEST49701443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:40:05.862535954 CEST4970025192.168.2.6104.47.54.36
                                                                    May 21, 2024 04:40:09.878149033 CEST4970025192.168.2.6104.47.54.36
                                                                    May 21, 2024 04:40:17.878889084 CEST4970025192.168.2.6104.47.54.36
                                                                    May 21, 2024 04:40:22.883913994 CEST4970825192.168.2.698.136.96.91
                                                                    May 21, 2024 04:40:23.893948078 CEST4970825192.168.2.698.136.96.91
                                                                    May 21, 2024 04:40:25.909373999 CEST4970825192.168.2.698.136.96.91
                                                                    May 21, 2024 04:40:29.909415960 CEST4970825192.168.2.698.136.96.91
                                                                    May 21, 2024 04:40:37.909441948 CEST4970825192.168.2.698.136.96.91
                                                                    May 21, 2024 04:40:42.931816101 CEST4970925192.168.2.664.233.184.27
                                                                    May 21, 2024 04:40:43.924849033 CEST4970925192.168.2.664.233.184.27
                                                                    May 21, 2024 04:40:45.768899918 CEST49701443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:40:45.769067049 CEST44349701141.8.199.94192.168.2.6
                                                                    May 21, 2024 04:40:45.769187927 CEST49701443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:40:45.878945112 CEST49710443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:40:45.879024982 CEST44349710141.8.199.94192.168.2.6
                                                                    May 21, 2024 04:40:45.879157066 CEST49710443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:40:45.924896002 CEST4970925192.168.2.664.233.184.27
                                                                    May 21, 2024 04:40:49.924870968 CEST4970925192.168.2.664.233.184.27
                                                                    May 21, 2024 04:40:57.940474033 CEST4970925192.168.2.664.233.184.27
                                                                    May 21, 2024 04:41:03.067404032 CEST4971225192.168.2.6217.69.139.150
                                                                    May 21, 2024 04:41:04.096798897 CEST4971225192.168.2.6217.69.139.150
                                                                    May 21, 2024 04:41:06.096692085 CEST4971225192.168.2.6217.69.139.150
                                                                    May 21, 2024 04:41:10.112350941 CEST4971225192.168.2.6217.69.139.150
                                                                    May 21, 2024 04:41:18.112613916 CEST4971225192.168.2.6217.69.139.150
                                                                    May 21, 2024 04:41:25.929059982 CEST49710443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:41:25.929285049 CEST44349710141.8.199.94192.168.2.6
                                                                    May 21, 2024 04:41:25.929369926 CEST49710443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:41:26.200171947 CEST49713443192.168.2.6141.8.199.94
                                                                    May 21, 2024 04:41:26.200259924 CEST44349713141.8.199.94192.168.2.6
                                                                    May 21, 2024 04:41:26.200380087 CEST49713443192.168.2.6141.8.199.94

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 21, 2024 04:40:02.799287081 CEST6499553192.168.2.61.1.1.1
                                                                    May 21, 2024 04:40:02.831408024 CEST53649951.1.1.1192.168.2.6
                                                                    May 21, 2024 04:40:05.771662951 CEST6443453192.168.2.61.1.1.1
                                                                    May 21, 2024 04:40:05.779428959 CEST53644341.1.1.1192.168.2.6
                                                                    May 21, 2024 04:40:22.864625931 CEST5285053192.168.2.61.1.1.1
                                                                    May 21, 2024 04:40:22.872256994 CEST53528501.1.1.1192.168.2.6
                                                                    May 21, 2024 04:40:22.872972012 CEST6509553192.168.2.61.1.1.1
                                                                    May 21, 2024 04:40:22.880354881 CEST53650951.1.1.1192.168.2.6
                                                                    May 21, 2024 04:40:42.895066977 CEST5767553192.168.2.61.1.1.1
                                                                    May 21, 2024 04:40:42.902456045 CEST53576751.1.1.1192.168.2.6
                                                                    May 21, 2024 04:40:42.908421040 CEST5566253192.168.2.61.1.1.1
                                                                    May 21, 2024 04:40:42.915566921 CEST53556621.1.1.1192.168.2.6
                                                                    May 21, 2024 04:41:02.941055059 CEST5952453192.168.2.61.1.1.1
                                                                    May 21, 2024 04:41:02.999489069 CEST53595241.1.1.1192.168.2.6
                                                                    May 21, 2024 04:41:03.000166893 CEST5751553192.168.2.61.1.1.1
                                                                    May 21, 2024 04:41:03.066701889 CEST53575151.1.1.1192.168.2.6
                                                                    May 21, 2024 04:42:04.837346077 CEST5581753192.168.2.61.1.1.1
                                                                    May 21, 2024 04:42:04.918028116 CEST53558171.1.1.1192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    May 21, 2024 04:40:02.799287081 CEST192.168.2.61.1.1.10xf4baStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:05.771662951 CEST192.168.2.61.1.1.10x3cd1Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.864625931 CEST192.168.2.61.1.1.10xe2d3Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.872972012 CEST192.168.2.61.1.1.10x3fdStandard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.895066977 CEST192.168.2.61.1.1.10xa876Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.908421040 CEST192.168.2.61.1.1.10x4ddeStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:41:02.941055059 CEST192.168.2.61.1.1.10x5374Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:41:03.000166893 CEST192.168.2.61.1.1.10x55e0Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:42:04.837346077 CEST192.168.2.61.1.1.10xa746Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    May 21, 2024 04:40:02.831408024 CEST1.1.1.1192.168.2.60xf4baNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:02.831408024 CEST1.1.1.1192.168.2.60xf4baNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:05.779428959 CEST1.1.1.1192.168.2.60x3cd1No error (0)vanaheim.cn141.8.199.94A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.872256994 CEST1.1.1.1192.168.2.60xe2d3No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.872256994 CEST1.1.1.1192.168.2.60xe2d3No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.872256994 CEST1.1.1.1192.168.2.60xe2d3No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:22.880354881 CEST1.1.1.1192.168.2.60x3fdNo error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.902456045 CEST1.1.1.1192.168.2.60xa876No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.915566921 CEST1.1.1.1192.168.2.60x4ddeNo error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.915566921 CEST1.1.1.1192.168.2.60x4ddeNo error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.915566921 CEST1.1.1.1192.168.2.60x4ddeNo error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.915566921 CEST1.1.1.1192.168.2.60x4ddeNo error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:40:42.915566921 CEST1.1.1.1192.168.2.60x4ddeNo error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:41:02.999489069 CEST1.1.1.1192.168.2.60x5374No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                    May 21, 2024 04:41:03.066701889 CEST1.1.1.1192.168.2.60x55e0No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:41:03.066701889 CEST1.1.1.1192.168.2.60x55e0No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:42:04.918028116 CEST1.1.1.1192.168.2.60xa746No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:42:04.918028116 CEST1.1.1.1192.168.2.60xa746No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:42:04.918028116 CEST1.1.1.1192.168.2.60xa746No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                    May 21, 2024 04:42:04.918028116 CEST1.1.1.1192.168.2.60xa746No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:22:39:56
                                                                    Start date:20/05/2024
                                                                    Path:C:\Users\user\Desktop\rpzOeQ5QzX.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\rpzOeQ5QzX.exe"
                                                                    Imagebase:0x400000
                                                                    File size:208'896 bytes
                                                                    MD5 hash:CC3AC85B3C5690D542ED9F3266B9BD83
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2134977363.00000000005CE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2092973488.00000000020C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:22:39:57
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\hvjnshqw\
                                                                    Imagebase:0x1c0000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:22:39:57
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:22:39:58
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\xnjytljr.exe" C:\Windows\SysWOW64\hvjnshqw\
                                                                    Imagebase:0x1c0000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:22:39:58
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:22:39:58
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" create hvjnshqw binPath= "C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d\"C:\Users\user\Desktop\rpzOeQ5QzX.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                    Imagebase:0xac0000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:22:39:58
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:22:39:59
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" description hvjnshqw "wifi internet conection"
                                                                    Imagebase:0xac0000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:22:39:59
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:22:39:59
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" start hvjnshqw
                                                                    Imagebase:0xac0000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:22:39:59
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:22:39:59
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe /d"C:\Users\user\Desktop\rpzOeQ5QzX.exe"
                                                                    Imagebase:0x400000
                                                                    File size:13'172'736 bytes
                                                                    MD5 hash:75240FF630B9C24DB13964D6E038456F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2134681317.00000000007CC000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2128922943.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2134638344.0000000000770000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:22:40:00
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                    Imagebase:0xa60000
                                                                    File size:82'432 bytes
                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:22:40:00
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                    Imagebase:0x7ff7403e0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:22:40:00
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff66e660000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:22:40:00
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:svchost.exe
                                                                    Imagebase:0xa60000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:17
                                                                    Start time:22:40:00
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6788 -ip 6788
                                                                    Imagebase:0x1000000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:18
                                                                    Start time:22:40:00
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3328 -ip 3328
                                                                    Imagebase:0x1000000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:22:40:01
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 548
                                                                    Imagebase:0x1000000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:22:40:01
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1184
                                                                    Imagebase:0x1000000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:23
                                                                    Start time:22:40:42
                                                                    Start date:20/05/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                    Imagebase:0x7ff7403e0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:4.1%
                                                                      Dynamic/Decrypted Code Coverage:2%
                                                                      Signature Coverage:24.8%
                                                                      Total number of Nodes:1621
                                                                      Total number of Limit Nodes:19
                                                                      execution_graph 14454 5d265f 14455 5d266e 14454->14455 14458 5d2dff 14455->14458 14463 5d2e1a 14458->14463 14459 5d2e23 CreateToolhelp32Snapshot 14460 5d2e3f Module32First 14459->14460 14459->14463 14461 5d2e4e 14460->14461 14462 5d2677 14460->14462 14465 5d2abe 14461->14465 14463->14459 14463->14460 14466 5d2ae9 14465->14466 14467 5d2afa VirtualAlloc 14466->14467 14468 5d2b32 14466->14468 14467->14468 14468->14468 16291 20a0005 16296 20a092b GetPEB 16291->16296 16293 20a0030 16298 20a003c 16293->16298 16297 20a0972 16296->16297 16297->16293 16299 20a0049 16298->16299 16313 20a0e0f SetErrorMode SetErrorMode 16299->16313 16304 20a0265 16305 20a02ce VirtualProtect 16304->16305 16307 20a030b 16305->16307 16306 20a0439 VirtualFree 16311 20a05f4 LoadLibraryA 16306->16311 16312 20a04be 16306->16312 16307->16306 16308 20a04e3 LoadLibraryA 16308->16312 16310 20a08c7 16311->16310 16312->16308 16312->16311 16314 20a0223 16313->16314 16315 20a0d90 16314->16315 16316 20a0dad 16315->16316 16317 20a0dbb GetPEB 16316->16317 16318 20a0238 VirtualAlloc 16316->16318 16317->16318 16318->16304 14881 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14999 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14881->14999 14883 409a95 14884 409aa3 GetModuleHandleA GetModuleFileNameA 14883->14884 14889 40a3c7 14883->14889 14896 409ac4 14884->14896 14885 40a41c CreateThread WSAStartup 15161 40e52e 14885->15161 15956 40405e CreateEventA 14885->15956 14886 409afd GetCommandLineA 14900 409b22 14886->14900 14887 40a406 DeleteFileA 14887->14889 14890 40a40d 14887->14890 14889->14885 14889->14887 14889->14890 14892 40a3ed GetLastError 14889->14892 14890->14885 14891 40a445 15180 40eaaf 14891->15180 14892->14890 14894 40a3f8 Sleep 14892->14894 14894->14887 14895 40a44d 15184 401d96 14895->15184 14896->14886 14898 40a457 15232 4080c9 14898->15232 14902 409c0c 14900->14902 14908 409b47 14900->14908 15000 4096aa 14902->15000 14912 409b96 lstrlenA 14908->14912 14914 409b58 14908->14914 14909 40a1d2 14915 40a1e3 GetCommandLineA 14909->14915 14910 409c39 14913 40a167 GetModuleHandleA GetModuleFileNameA 14910->14913 15006 404280 CreateEventA 14910->15006 14912->14914 14917 409c05 ExitProcess 14913->14917 14918 40a189 14913->14918 14914->14917 14923 40675c 21 API calls 14914->14923 14942 40a205 14915->14942 14918->14917 14926 40a1b2 GetDriveTypeA 14918->14926 14924 409be3 14923->14924 14924->14917 15105 406a60 CreateFileA 14924->15105 14926->14917 14928 40a1c5 14926->14928 15142 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14928->15142 14934 40a491 14935 40a49f GetTickCount 14934->14935 14939 40a4be Sleep 14934->14939 14941 40a4b7 GetTickCount 14934->14941 15278 40c913 14934->15278 14935->14934 14935->14939 14937 409ca0 GetTempPathA 14938 409e3e 14937->14938 14940 409cba 14937->14940 14948 409e6b GetEnvironmentVariableA 14938->14948 14949 409e04 14938->14949 14939->14934 15061 4099d2 lstrcpyA 14940->15061 14941->14939 14945 40a285 lstrlenA 14942->14945 14958 40a239 14942->14958 14944 40ec2e codecvt 4 API calls 14947 40a15d 14944->14947 14945->14958 14947->14913 14947->14917 14948->14949 14950 409e7d 14948->14950 14949->14944 14951 4099d2 16 API calls 14950->14951 14952 409e9d 14951->14952 14952->14949 14957 409eb0 lstrcpyA lstrlenA 14952->14957 14955 409d5f 15124 406cc9 14955->15124 14956 40a3c2 15154 4098f2 14956->15154 14959 409ef4 14957->14959 15150 406ec3 14958->15150 14963 406dc2 6 API calls 14959->14963 14966 409f03 14959->14966 14962 40a35f 14962->14956 14962->14962 14969 40a37b 14962->14969 14963->14966 14964 40a39d StartServiceCtrlDispatcherA 14964->14956 14967 409f32 RegOpenKeyExA 14966->14967 14970 409f48 RegSetValueExA RegCloseKey 14967->14970 14973 409f70 14967->14973 14968 409cf6 15068 409326 14968->15068 14969->14964 14970->14973 14979 409f9d GetModuleHandleA GetModuleFileNameA 14973->14979 14974 409e0c DeleteFileA 14974->14938 14975 409dde GetFileAttributesExA 14975->14974 14976 409df7 14975->14976 14976->14949 14978 409dff 14976->14978 15134 4096ff 14978->15134 14981 409fc2 14979->14981 14982 40a093 14979->14982 14981->14982 14988 409ff1 GetDriveTypeA 14981->14988 14983 40a103 CreateProcessA 14982->14983 14984 40a0a4 wsprintfA 14982->14984 14985 40a13a 14983->14985 14986 40a12a DeleteFileA 14983->14986 15140 402544 14984->15140 14985->14949 14991 4096ff 3 API calls 14985->14991 14986->14985 14988->14982 14990 40a00d 14988->14990 14994 40a02d lstrcatA 14990->14994 14991->14949 14992 40ee2a 14993 40a0ec lstrcatA 14992->14993 14993->14983 14995 40a046 14994->14995 14996 40a052 lstrcatA 14995->14996 14997 40a064 lstrcatA 14995->14997 14996->14997 14997->14982 14998 40a081 lstrcatA 14997->14998 14998->14982 14999->14883 15001 4096b9 15000->15001 15381 4073ff 15001->15381 15003 4096e2 15004 4096f7 15003->15004 15401 40704c 15003->15401 15004->14909 15004->14910 15007 4042a5 15006->15007 15008 40429d 15006->15008 15426 403ecd 15007->15426 15008->14913 15033 40675c 15008->15033 15010 4042b0 15430 404000 15010->15430 15013 4043c1 CloseHandle 15013->15008 15014 4042ce 15436 403f18 WriteFile 15014->15436 15019 4043ba CloseHandle 15019->15013 15020 404318 15021 403f18 4 API calls 15020->15021 15022 404331 15021->15022 15023 403f18 4 API calls 15022->15023 15024 40434a 15023->15024 15025 40ebcc 4 API calls 15024->15025 15026 404350 15025->15026 15027 403f18 4 API calls 15026->15027 15028 404389 15027->15028 15029 40ec2e codecvt 4 API calls 15028->15029 15030 40438f 15029->15030 15031 403f8c 4 API calls 15030->15031 15032 40439f CloseHandle CloseHandle 15031->15032 15032->15008 15034 406784 CreateFileA 15033->15034 15035 40677a SetFileAttributesA 15033->15035 15036 4067a4 CreateFileA 15034->15036 15037 4067b5 15034->15037 15035->15034 15036->15037 15038 4067c5 15037->15038 15039 4067ba SetFileAttributesA 15037->15039 15040 406977 15038->15040 15041 4067cf GetFileSize 15038->15041 15039->15038 15040->14913 15040->14937 15040->14938 15042 4067e5 15041->15042 15060 406965 15041->15060 15043 4067ed ReadFile 15042->15043 15042->15060 15045 406811 SetFilePointer 15043->15045 15043->15060 15044 40696e FindCloseChangeNotification 15044->15040 15046 40682a ReadFile 15045->15046 15045->15060 15047 406848 SetFilePointer 15046->15047 15046->15060 15048 406867 15047->15048 15047->15060 15049 4068d5 15048->15049 15050 406878 ReadFile 15048->15050 15049->15044 15052 40ebcc 4 API calls 15049->15052 15051 4068d0 15050->15051 15054 406891 15050->15054 15051->15049 15053 4068f8 15052->15053 15055 406900 SetFilePointer 15053->15055 15053->15060 15054->15050 15054->15051 15056 40695a 15055->15056 15057 40690d ReadFile 15055->15057 15059 40ec2e codecvt 4 API calls 15056->15059 15057->15056 15058 406922 15057->15058 15058->15044 15059->15060 15060->15044 15062 4099eb 15061->15062 15063 409a2f lstrcatA 15062->15063 15064 40ee2a 15063->15064 15065 409a4b lstrcatA 15064->15065 15066 406a60 13 API calls 15065->15066 15067 409a60 15066->15067 15067->14938 15067->14968 15118 406dc2 15067->15118 15444 401910 15068->15444 15071 40934a GetModuleHandleA GetModuleFileNameA 15073 40937f 15071->15073 15074 4093a4 15073->15074 15075 4093d9 15073->15075 15076 4093c3 wsprintfA 15074->15076 15077 409401 wsprintfA 15075->15077 15078 409415 15076->15078 15077->15078 15081 406cc9 5 API calls 15078->15081 15102 4094a0 15078->15102 15080 4094ac 15083 40962f 15080->15083 15084 4094e8 RegOpenKeyExA 15080->15084 15082 409439 15081->15082 15091 40ef1e lstrlenA 15082->15091 15088 409646 15083->15088 15472 401820 15083->15472 15085 409502 15084->15085 15086 4094fb 15084->15086 15090 40951f RegQueryValueExA 15085->15090 15086->15083 15092 40958a 15086->15092 15098 4095d6 15088->15098 15454 4091eb 15088->15454 15093 409530 15090->15093 15094 409539 15090->15094 15095 409462 15091->15095 15092->15088 15096 409593 15092->15096 15097 40956e RegCloseKey 15093->15097 15099 409556 RegQueryValueExA 15094->15099 15100 40947e wsprintfA 15095->15100 15096->15098 15459 40f0e4 15096->15459 15097->15086 15098->14974 15098->14975 15099->15093 15099->15097 15100->15102 15446 406edd 15102->15446 15103 4095bb 15103->15098 15466 4018e0 15103->15466 15106 406b8c GetLastError 15105->15106 15107 406a8f GetDiskFreeSpaceA 15105->15107 15109 406b86 15106->15109 15108 406ac5 15107->15108 15117 406ad7 15107->15117 15521 40eb0e 15108->15521 15109->14917 15113 406b56 FindCloseChangeNotification 15113->15109 15116 406b65 GetLastError CloseHandle 15113->15116 15114 406b36 GetLastError CloseHandle 15115 406b7f DeleteFileA 15114->15115 15115->15109 15116->15115 15515 406987 15117->15515 15119 406dd7 15118->15119 15123 406e24 15118->15123 15120 406cc9 5 API calls 15119->15120 15121 406ddc 15120->15121 15121->15121 15122 406e02 GetVolumeInformationA 15121->15122 15121->15123 15122->15123 15123->14955 15125 406cdc GetModuleHandleA GetProcAddress 15124->15125 15126 406dbe lstrcpyA lstrcatA lstrcatA 15124->15126 15127 406d12 GetSystemDirectoryA 15125->15127 15130 406cfd 15125->15130 15126->14968 15128 406d27 GetWindowsDirectoryA 15127->15128 15129 406d1e 15127->15129 15131 406d42 15128->15131 15129->15128 15132 406d8b 15129->15132 15130->15127 15130->15132 15133 40ef1e lstrlenA 15131->15133 15132->15126 15133->15132 15135 402544 15134->15135 15136 40972d RegOpenKeyExA 15135->15136 15137 409740 15136->15137 15138 409765 15136->15138 15139 40974f RegDeleteValueA RegCloseKey 15137->15139 15138->14949 15139->15138 15141 402554 lstrcatA 15140->15141 15141->14992 15143 402544 15142->15143 15144 40919e wsprintfA 15143->15144 15145 4091bb 15144->15145 15525 409064 GetTempPathA 15145->15525 15148 4091d5 ShellExecuteA 15149 4091e7 15148->15149 15149->14917 15151 406ed5 15150->15151 15152 406ecc 15150->15152 15151->14962 15153 406e36 2 API calls 15152->15153 15153->15151 15155 4098f6 15154->15155 15156 404280 30 API calls 15155->15156 15157 409904 Sleep 15155->15157 15158 409915 15155->15158 15156->15155 15157->15155 15157->15158 15160 409947 15158->15160 15532 40977c 15158->15532 15160->14889 15162 40dd05 6 API calls 15161->15162 15163 40e538 15162->15163 15554 40dbcf 15163->15554 15165 40e544 15166 40e555 GetFileSize 15165->15166 15171 40e5b8 15165->15171 15167 40e5b1 CloseHandle 15166->15167 15168 40e566 15166->15168 15167->15171 15564 40db2e 15168->15564 15573 40e3ca RegOpenKeyExA 15171->15573 15172 40e576 ReadFile 15172->15167 15174 40e58d 15172->15174 15568 40e332 15174->15568 15176 40e5f2 15178 40e3ca 19 API calls 15176->15178 15179 40e629 15176->15179 15178->15179 15179->14891 15181 40eabe 15180->15181 15183 40eaba 15180->15183 15182 40dd05 6 API calls 15181->15182 15181->15183 15182->15183 15183->14895 15185 40ee2a 15184->15185 15186 401db4 GetVersionExA 15185->15186 15187 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15186->15187 15189 401e24 15187->15189 15190 401e16 GetCurrentProcess 15187->15190 15191 40e819 11 API calls 15189->15191 15190->15189 15192 401e3d 15191->15192 15193 40e819 11 API calls 15192->15193 15194 401e4e 15193->15194 15195 401e77 15194->15195 15606 40df70 15194->15606 15615 40ea84 15195->15615 15198 401e6c 15200 40df70 12 API calls 15198->15200 15200->15195 15201 40e819 11 API calls 15202 401e93 15201->15202 15619 40199c inet_addr LoadLibraryA 15202->15619 15205 40e819 11 API calls 15206 401eb9 15205->15206 15207 40f04e 4 API calls 15206->15207 15214 401ed8 15206->15214 15209 401ec9 15207->15209 15208 40e819 11 API calls 15210 401eee 15208->15210 15211 40ea84 30 API calls 15209->15211 15212 401f0a 15210->15212 15632 401b71 15210->15632 15211->15214 15213 40e819 11 API calls 15212->15213 15216 401f23 15213->15216 15214->15208 15219 401f3f 15216->15219 15636 401bdf 15216->15636 15217 401efd 15218 40ea84 30 API calls 15217->15218 15218->15212 15221 40e819 11 API calls 15219->15221 15223 401f5e 15221->15223 15225 401f77 15223->15225 15227 40ea84 30 API calls 15223->15227 15224 40ea84 30 API calls 15224->15219 15226 4030b5 2 API calls 15225->15226 15228 401f82 15226->15228 15227->15225 15229 406ec3 2 API calls 15228->15229 15231 401f8e GetTickCount 15228->15231 15229->15231 15231->14898 15233 406ec3 2 API calls 15232->15233 15234 4080eb 15233->15234 15235 4080f9 15234->15235 15236 4080ef 15234->15236 15238 40704c 16 API calls 15235->15238 15678 407ee6 15236->15678 15240 408110 15238->15240 15239 408269 CreateThread 15257 405e6c 15239->15257 15985 40877e 15239->15985 15242 408156 RegOpenKeyExA 15240->15242 15243 4080f4 15240->15243 15241 40675c 21 API calls 15247 408244 15241->15247 15242->15243 15244 40816d RegQueryValueExA 15242->15244 15243->15239 15243->15241 15245 4081f7 15244->15245 15246 40818d 15244->15246 15248 40820d RegCloseKey 15245->15248 15250 40ec2e codecvt 4 API calls 15245->15250 15246->15245 15251 40ebcc 4 API calls 15246->15251 15247->15239 15249 40ec2e codecvt 4 API calls 15247->15249 15248->15243 15249->15239 15256 4081dd 15250->15256 15252 4081a0 15251->15252 15252->15248 15253 4081aa RegQueryValueExA 15252->15253 15253->15245 15254 4081c4 15253->15254 15255 40ebcc 4 API calls 15254->15255 15255->15256 15256->15248 15746 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15257->15746 15259 405e71 15747 40e654 15259->15747 15261 405ec1 15262 403132 15261->15262 15263 40df70 12 API calls 15262->15263 15264 40313b 15263->15264 15265 40c125 15264->15265 15758 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15265->15758 15267 40c12d 15268 40e654 13 API calls 15267->15268 15269 40c2bd 15268->15269 15270 40e654 13 API calls 15269->15270 15271 40c2c9 15270->15271 15272 40e654 13 API calls 15271->15272 15273 40a47a 15272->15273 15274 408db1 15273->15274 15275 408dbc 15274->15275 15276 40e654 13 API calls 15275->15276 15277 408dec Sleep 15276->15277 15277->14934 15279 40c92f 15278->15279 15280 40c93c 15279->15280 15759 40c517 15279->15759 15282 40ca2b 15280->15282 15283 40e819 11 API calls 15280->15283 15282->14934 15284 40c96a 15283->15284 15285 40e819 11 API calls 15284->15285 15286 40c97d 15285->15286 15287 40e819 11 API calls 15286->15287 15288 40c990 15287->15288 15289 40c9aa 15288->15289 15290 40ebcc 4 API calls 15288->15290 15289->15282 15291 402684 2 API calls 15289->15291 15290->15289 15292 40ca16 15291->15292 15776 40f428 15292->15776 15295 40ca26 15779 40c8aa 15295->15779 15298 40ca44 15299 40ca4b closesocket 15298->15299 15300 40ca83 15298->15300 15299->15295 15301 40ea84 30 API calls 15300->15301 15302 40caac 15301->15302 15303 40f04e 4 API calls 15302->15303 15304 40cab2 15303->15304 15305 40ea84 30 API calls 15304->15305 15306 40caca 15305->15306 15307 40ea84 30 API calls 15306->15307 15308 40cad9 15307->15308 15787 40c65c 15308->15787 15311 40cb60 closesocket 15311->15282 15313 40dad2 closesocket 15314 40e318 23 API calls 15313->15314 15314->15282 15315 40df4c 20 API calls 15345 40cb70 15315->15345 15320 40e654 13 API calls 15320->15345 15323 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15323->15345 15327 40ea84 30 API calls 15327->15345 15328 40d569 closesocket Sleep 15834 40e318 15328->15834 15329 40d815 wsprintfA 15329->15345 15330 40cc1c GetTempPathA 15330->15345 15331 407ead 6 API calls 15331->15345 15332 40c517 23 API calls 15332->15345 15334 40e8a1 30 API calls 15334->15345 15335 40d582 ExitProcess 15336 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15336->15345 15337 40cfe3 GetSystemDirectoryA 15337->15345 15338 40cfad GetEnvironmentVariableA 15338->15345 15339 40675c 21 API calls 15339->15345 15340 40d027 GetSystemDirectoryA 15340->15345 15341 40d105 lstrcatA 15341->15345 15342 40ef1e lstrlenA 15342->15345 15343 40cc9f CreateFileA 15343->15345 15346 40ccc6 WriteFile 15343->15346 15344 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15344->15345 15345->15313 15345->15315 15345->15320 15345->15323 15345->15327 15345->15328 15345->15329 15345->15330 15345->15331 15345->15332 15345->15334 15345->15336 15345->15337 15345->15338 15345->15339 15345->15340 15345->15341 15345->15342 15345->15343 15345->15344 15347 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15345->15347 15348 40d15b CreateFileA 15345->15348 15353 40d149 SetFileAttributesA 15345->15353 15354 40d36e GetEnvironmentVariableA 15345->15354 15355 40d1bf SetFileAttributesA 15345->15355 15357 40d22d GetEnvironmentVariableA 15345->15357 15358 40d3af lstrcatA 15345->15358 15360 40d3f2 CreateFileA 15345->15360 15362 407fcf 64 API calls 15345->15362 15368 40d4b1 CreateProcessA 15345->15368 15369 40d3e0 SetFileAttributesA 15345->15369 15370 40d26e lstrcatA 15345->15370 15373 40d2b1 CreateFileA 15345->15373 15374 407ee6 64 API calls 15345->15374 15375 40d452 SetFileAttributesA 15345->15375 15378 40d29f SetFileAttributesA 15345->15378 15380 40d31d SetFileAttributesA 15345->15380 15795 40c75d 15345->15795 15807 407e2f 15345->15807 15829 407ead 15345->15829 15839 4031d0 15345->15839 15856 403c09 15345->15856 15866 403a00 15345->15866 15870 40e7b4 15345->15870 15873 40c06c 15345->15873 15879 406f5f GetUserNameA 15345->15879 15890 40e854 15345->15890 15900 407dd6 15345->15900 15349 40cdcc CloseHandle 15346->15349 15350 40cced CloseHandle 15346->15350 15347->15345 15348->15345 15351 40d182 WriteFile CloseHandle 15348->15351 15349->15345 15356 40cd2f 15350->15356 15351->15345 15352 40cd16 wsprintfA 15352->15356 15353->15348 15354->15345 15355->15345 15356->15352 15816 407fcf 15356->15816 15357->15345 15358->15345 15358->15360 15360->15345 15363 40d415 WriteFile CloseHandle 15360->15363 15362->15345 15363->15345 15364 40cd81 WaitForSingleObject CloseHandle CloseHandle 15366 40f04e 4 API calls 15364->15366 15365 40cda5 15367 407ee6 64 API calls 15365->15367 15366->15365 15371 40cdbd DeleteFileA 15367->15371 15368->15345 15372 40d4e8 CloseHandle CloseHandle 15368->15372 15369->15360 15370->15345 15370->15373 15371->15345 15372->15345 15373->15345 15376 40d2d8 WriteFile CloseHandle 15373->15376 15374->15345 15375->15345 15376->15345 15378->15373 15380->15345 15382 40741b 15381->15382 15383 406dc2 6 API calls 15382->15383 15384 40743f 15383->15384 15385 407469 RegOpenKeyExA 15384->15385 15386 4077f9 15385->15386 15397 407487 ___ascii_stricmp 15385->15397 15386->15003 15387 407703 RegEnumKeyA 15388 407714 RegCloseKey 15387->15388 15387->15397 15388->15386 15389 40f1a5 lstrlenA 15389->15397 15390 4074d2 RegOpenKeyExA 15390->15397 15391 40772c 15393 407742 RegCloseKey 15391->15393 15394 40774b 15391->15394 15392 407521 RegQueryValueExA 15392->15397 15393->15394 15395 4077ec RegCloseKey 15394->15395 15395->15386 15396 4076e4 RegCloseKey 15396->15397 15397->15387 15397->15389 15397->15390 15397->15391 15397->15392 15397->15396 15399 40777e GetFileAttributesExA 15397->15399 15400 407769 15397->15400 15398 4077e3 RegCloseKey 15398->15395 15399->15400 15400->15398 15402 407073 15401->15402 15403 4070b9 RegOpenKeyExA 15402->15403 15404 4070d0 15403->15404 15418 4071b8 15403->15418 15405 406dc2 6 API calls 15404->15405 15408 4070d5 15405->15408 15406 40719b RegEnumValueA 15407 4071af RegCloseKey 15406->15407 15406->15408 15407->15418 15408->15406 15410 4071d0 15408->15410 15424 40f1a5 lstrlenA 15408->15424 15411 407205 RegCloseKey 15410->15411 15412 407227 15410->15412 15411->15418 15413 4072b8 ___ascii_stricmp 15412->15413 15414 40728e RegCloseKey 15412->15414 15415 4072cd RegCloseKey 15413->15415 15416 4072dd 15413->15416 15414->15418 15415->15418 15417 407311 RegCloseKey 15416->15417 15420 407335 15416->15420 15417->15418 15418->15004 15419 4073d5 RegCloseKey 15421 4073e4 15419->15421 15420->15419 15422 40737e GetFileAttributesExA 15420->15422 15423 407397 15420->15423 15422->15423 15423->15419 15425 40f1c3 15424->15425 15425->15408 15427 403ee2 15426->15427 15428 403edc 15426->15428 15427->15010 15429 406dc2 6 API calls 15428->15429 15429->15427 15431 40400b CreateFileA 15430->15431 15432 40402c GetLastError 15431->15432 15434 404052 15431->15434 15433 404037 15432->15433 15432->15434 15433->15434 15435 404041 Sleep 15433->15435 15434->15008 15434->15013 15434->15014 15435->15431 15435->15434 15437 403f4e GetLastError 15436->15437 15439 403f7c 15436->15439 15438 403f5b WaitForSingleObject GetOverlappedResult 15437->15438 15437->15439 15438->15439 15440 403f8c ReadFile 15439->15440 15441 403ff0 15440->15441 15442 403fc2 GetLastError 15440->15442 15441->15019 15441->15020 15442->15441 15443 403fcf WaitForSingleObject GetOverlappedResult 15442->15443 15443->15441 15445 401924 GetVersionExA 15444->15445 15445->15071 15447 406f55 15446->15447 15448 406eef AllocateAndInitializeSid 15446->15448 15447->15080 15449 406f44 15448->15449 15450 406f1c CheckTokenMembership 15448->15450 15449->15447 15478 406e36 GetUserNameW 15449->15478 15451 406f3b FreeSid 15450->15451 15452 406f2e 15450->15452 15451->15449 15452->15451 15455 409308 15454->15455 15457 40920e 15454->15457 15455->15098 15456 4092f1 Sleep 15456->15457 15457->15455 15457->15456 15457->15457 15458 4092bf ShellExecuteA 15457->15458 15458->15455 15458->15457 15460 40f0f1 15459->15460 15461 40f0ed 15459->15461 15462 40f119 15460->15462 15463 40f0fa lstrlenA SysAllocStringByteLen 15460->15463 15461->15103 15465 40f11c MultiByteToWideChar 15462->15465 15464 40f117 15463->15464 15463->15465 15464->15103 15465->15464 15467 401820 17 API calls 15466->15467 15469 4018f2 15467->15469 15468 4018f9 15468->15098 15469->15468 15481 401280 15469->15481 15471 401908 15471->15098 15494 401000 15472->15494 15474 401839 15475 401851 GetCurrentProcess 15474->15475 15476 40183d 15474->15476 15477 401864 15475->15477 15476->15088 15477->15088 15479 406e97 15478->15479 15480 406e5f LookupAccountNameW 15478->15480 15479->15447 15480->15479 15484 4012e1 ShellExecuteExW 15481->15484 15483 4016f9 GetLastError 15485 401699 15483->15485 15484->15483 15488 4013a8 15484->15488 15485->15471 15486 401570 lstrlenW 15486->15488 15487 4015be GetStartupInfoW 15487->15488 15488->15485 15488->15486 15488->15487 15488->15488 15489 4015ff CreateProcessWithLogonW 15488->15489 15493 401668 CloseHandle 15488->15493 15490 4016bf GetLastError 15489->15490 15491 40163f WaitForSingleObject 15489->15491 15490->15485 15491->15488 15492 401659 CloseHandle 15491->15492 15492->15488 15493->15488 15495 40100d LoadLibraryA 15494->15495 15511 401023 15494->15511 15496 401021 15495->15496 15495->15511 15496->15474 15497 4010b5 GetProcAddress 15498 4010d1 GetProcAddress 15497->15498 15499 40127b 15497->15499 15498->15499 15500 4010f0 GetProcAddress 15498->15500 15499->15474 15500->15499 15501 401110 GetProcAddress 15500->15501 15501->15499 15502 401130 GetProcAddress 15501->15502 15502->15499 15503 40114f GetProcAddress 15502->15503 15503->15499 15504 40116f GetProcAddress 15503->15504 15504->15499 15505 40118f GetProcAddress 15504->15505 15505->15499 15506 4011ae GetProcAddress 15505->15506 15506->15499 15507 4011ce GetProcAddress 15506->15507 15507->15499 15508 4011ee GetProcAddress 15507->15508 15508->15499 15509 401209 GetProcAddress 15508->15509 15509->15499 15510 401225 GetProcAddress 15509->15510 15510->15499 15512 401241 GetProcAddress 15510->15512 15511->15497 15514 4010ae 15511->15514 15512->15499 15513 40125c GetProcAddress 15512->15513 15513->15499 15514->15474 15517 4069b9 WriteFile 15515->15517 15518 406a3c 15517->15518 15520 4069ff 15517->15520 15518->15113 15518->15114 15519 406a10 WriteFile 15519->15518 15519->15520 15520->15518 15520->15519 15522 40eb17 15521->15522 15523 40eb21 15521->15523 15524 40eae4 2 API calls 15522->15524 15523->15117 15524->15523 15526 40908d 15525->15526 15527 4090e2 wsprintfA 15526->15527 15528 40ee2a 15527->15528 15529 4090fd CreateFileA 15528->15529 15530 40911a lstrlenA WriteFile CloseHandle 15529->15530 15531 40913f 15529->15531 15530->15531 15531->15148 15531->15149 15533 40ee2a 15532->15533 15534 409794 CreateProcessA 15533->15534 15535 4097bb 15534->15535 15536 4097c2 15534->15536 15535->15160 15537 4097d4 GetThreadContext 15536->15537 15538 409801 15537->15538 15539 4097f5 15537->15539 15546 40637c 15538->15546 15540 4097f6 TerminateProcess 15539->15540 15540->15535 15542 409816 15542->15540 15543 40981e WriteProcessMemory 15542->15543 15543->15539 15544 40983b SetThreadContext 15543->15544 15544->15539 15545 409858 ResumeThread 15544->15545 15545->15535 15547 406386 15546->15547 15548 40638a GetModuleHandleA VirtualAlloc 15546->15548 15547->15542 15549 4063f5 15548->15549 15550 4063b6 15548->15550 15549->15542 15551 4063be VirtualAllocEx 15550->15551 15551->15549 15552 4063d6 15551->15552 15553 4063df WriteProcessMemory 15552->15553 15553->15549 15555 40dbf0 15554->15555 15587 40db67 GetEnvironmentVariableA 15555->15587 15557 40dc19 15558 40db67 3 API calls 15557->15558 15563 40dcda 15557->15563 15559 40dc5c 15558->15559 15560 40db67 3 API calls 15559->15560 15559->15563 15561 40dc9b 15560->15561 15562 40db67 3 API calls 15561->15562 15561->15563 15562->15563 15563->15165 15565 40db55 15564->15565 15566 40db3a 15564->15566 15565->15167 15565->15172 15567 40ebed 8 API calls 15566->15567 15567->15565 15569 40f04e 4 API calls 15568->15569 15572 40e342 15569->15572 15570 40e3be 15570->15167 15572->15570 15591 40de24 15572->15591 15574 40e528 15573->15574 15575 40e3f4 15573->15575 15574->15176 15576 40e434 RegQueryValueExA 15575->15576 15577 40e458 15576->15577 15578 40e51d RegCloseKey 15576->15578 15579 40e46e RegQueryValueExA 15577->15579 15578->15574 15579->15577 15580 40e488 15579->15580 15580->15578 15581 40db2e 8 API calls 15580->15581 15582 40e499 15581->15582 15582->15578 15583 40e4b9 RegQueryValueExA 15582->15583 15584 40e4e8 15582->15584 15583->15582 15583->15584 15584->15578 15585 40e332 14 API calls 15584->15585 15586 40e513 15585->15586 15586->15578 15588 40dbca 15587->15588 15590 40db89 lstrcpyA CreateFileA 15587->15590 15588->15557 15590->15557 15592 40de3a 15591->15592 15593 40dd84 lstrcmpiA 15592->15593 15597 40de4e 15592->15597 15594 40de62 15593->15594 15595 40de76 15594->15595 15598 40de9e 15594->15598 15602 40ddcf 15595->15602 15596 40ebed 8 API calls 15600 40def6 15596->15600 15597->15572 15598->15596 15598->15597 15600->15597 15601 40ddcf lstrcmpA 15600->15601 15601->15597 15603 40dddd 15602->15603 15605 40de20 15602->15605 15604 40ddfa lstrcmpA 15603->15604 15603->15605 15604->15603 15605->15597 15607 40dd05 6 API calls 15606->15607 15608 40df7c 15607->15608 15609 40dd84 lstrcmpiA 15608->15609 15613 40df89 15609->15613 15610 40dfc4 15610->15198 15611 40ddcf lstrcmpA 15611->15613 15612 40ec2e codecvt 4 API calls 15612->15613 15613->15610 15613->15611 15613->15612 15614 40dd84 lstrcmpiA 15613->15614 15614->15613 15616 40ea98 15615->15616 15643 40e8a1 15616->15643 15618 401e84 15618->15201 15620 4019d5 GetProcAddress GetProcAddress GetProcAddress 15619->15620 15621 4019ce 15619->15621 15622 401ab3 FreeLibrary 15620->15622 15623 401a04 15620->15623 15621->15205 15622->15621 15623->15622 15624 401a14 GetProcessHeap 15623->15624 15624->15621 15626 401a2e HeapAlloc 15624->15626 15626->15621 15627 401a42 15626->15627 15628 401a52 HeapReAlloc 15627->15628 15630 401a62 15627->15630 15628->15630 15629 401aa1 FreeLibrary 15629->15621 15630->15629 15631 401a96 HeapFree 15630->15631 15631->15629 15671 401ac3 LoadLibraryA 15632->15671 15635 401bcf 15635->15217 15637 401ac3 12 API calls 15636->15637 15638 401c09 15637->15638 15639 401c41 15638->15639 15640 401c0d GetComputerNameA 15638->15640 15639->15224 15641 401c45 GetVolumeInformationA 15640->15641 15642 401c1f 15640->15642 15641->15639 15642->15639 15642->15641 15644 40dd05 6 API calls 15643->15644 15645 40e8b4 15644->15645 15646 40dd84 lstrcmpiA 15645->15646 15647 40e8c0 15646->15647 15648 40e90a 15647->15648 15649 40e8c8 lstrcpynA 15647->15649 15650 402419 4 API calls 15648->15650 15659 40ea27 15648->15659 15651 40e8f5 15649->15651 15652 40e926 lstrlenA lstrlenA 15650->15652 15664 40df4c 15651->15664 15653 40e96a 15652->15653 15654 40e94c lstrlenA 15652->15654 15658 40ebcc 4 API calls 15653->15658 15653->15659 15654->15653 15656 40e901 15657 40dd84 lstrcmpiA 15656->15657 15657->15648 15660 40e98f 15658->15660 15659->15618 15660->15659 15661 40df4c 20 API calls 15660->15661 15662 40ea1e 15661->15662 15663 40ec2e codecvt 4 API calls 15662->15663 15663->15659 15665 40dd05 6 API calls 15664->15665 15666 40df51 15665->15666 15667 40f04e 4 API calls 15666->15667 15668 40df58 15667->15668 15669 40de24 10 API calls 15668->15669 15670 40df63 15669->15670 15670->15656 15672 401ae2 GetProcAddress 15671->15672 15673 401b68 GetComputerNameA GetVolumeInformationA 15671->15673 15672->15673 15674 401af5 15672->15674 15673->15635 15675 401b29 15674->15675 15676 40ebed 8 API calls 15674->15676 15675->15673 15677 40ec2e codecvt 4 API calls 15675->15677 15676->15674 15677->15673 15679 406ec3 2 API calls 15678->15679 15680 407ef4 15679->15680 15681 4073ff 17 API calls 15680->15681 15690 407fc9 15680->15690 15682 407f16 15681->15682 15682->15690 15691 407809 GetUserNameA 15682->15691 15684 407f63 15685 40ef1e lstrlenA 15684->15685 15684->15690 15686 407fa6 15685->15686 15687 40ef1e lstrlenA 15686->15687 15688 407fb7 15687->15688 15715 407a95 RegOpenKeyExA 15688->15715 15690->15243 15692 40783d LookupAccountNameA 15691->15692 15693 407a8d 15691->15693 15692->15693 15694 407874 GetLengthSid GetFileSecurityA 15692->15694 15693->15684 15694->15693 15695 4078a8 GetSecurityDescriptorOwner 15694->15695 15696 4078c5 EqualSid 15695->15696 15697 40791d GetSecurityDescriptorDacl 15695->15697 15696->15697 15698 4078dc LocalAlloc 15696->15698 15697->15693 15705 407941 15697->15705 15698->15697 15699 4078ef InitializeSecurityDescriptor 15698->15699 15700 407916 LocalFree 15699->15700 15701 4078fb SetSecurityDescriptorOwner 15699->15701 15700->15697 15701->15700 15703 40790b SetFileSecurityA 15701->15703 15702 40795b GetAce 15702->15705 15703->15700 15704 407980 EqualSid 15704->15705 15705->15693 15705->15702 15705->15704 15706 407a3d 15705->15706 15707 4079be EqualSid 15705->15707 15708 40799d DeleteAce 15705->15708 15706->15693 15709 407a43 LocalAlloc 15706->15709 15707->15705 15708->15705 15709->15693 15710 407a56 InitializeSecurityDescriptor 15709->15710 15711 407a62 SetSecurityDescriptorDacl 15710->15711 15712 407a86 LocalFree 15710->15712 15711->15712 15713 407a73 SetFileSecurityA 15711->15713 15712->15693 15713->15712 15714 407a83 15713->15714 15714->15712 15716 407ac4 15715->15716 15717 407acb GetUserNameA 15715->15717 15716->15690 15718 407da7 RegCloseKey 15717->15718 15719 407aed LookupAccountNameA 15717->15719 15718->15716 15719->15718 15720 407b24 RegGetKeySecurity 15719->15720 15720->15718 15721 407b49 GetSecurityDescriptorOwner 15720->15721 15722 407b63 EqualSid 15721->15722 15723 407bb8 GetSecurityDescriptorDacl 15721->15723 15722->15723 15725 407b74 LocalAlloc 15722->15725 15724 407da6 15723->15724 15732 407bdc 15723->15732 15724->15718 15725->15723 15726 407b8a InitializeSecurityDescriptor 15725->15726 15728 407bb1 LocalFree 15726->15728 15729 407b96 SetSecurityDescriptorOwner 15726->15729 15727 407bf8 GetAce 15727->15732 15728->15723 15729->15728 15730 407ba6 RegSetKeySecurity 15729->15730 15730->15728 15731 407c1d EqualSid 15731->15732 15732->15724 15732->15727 15732->15731 15733 407c5f EqualSid 15732->15733 15734 407c3a DeleteAce 15732->15734 15736 407cd9 15732->15736 15733->15732 15734->15732 15735 407d5a LocalAlloc 15735->15724 15737 407d70 InitializeSecurityDescriptor 15735->15737 15736->15724 15736->15735 15738 407cf2 RegOpenKeyExA 15736->15738 15739 407d7c SetSecurityDescriptorDacl 15737->15739 15740 407d9f LocalFree 15737->15740 15738->15735 15743 407d0f 15738->15743 15739->15740 15741 407d8c RegSetKeySecurity 15739->15741 15740->15724 15741->15740 15742 407d9c 15741->15742 15742->15740 15744 407d43 RegSetValueExA 15743->15744 15744->15735 15745 407d54 15744->15745 15745->15735 15746->15259 15748 40dd05 6 API calls 15747->15748 15752 40e65f 15748->15752 15749 40e6a5 15750 40ebcc 4 API calls 15749->15750 15757 40e6f5 15749->15757 15751 40e6b0 15750->15751 15754 40e6b7 15751->15754 15756 40e6e0 lstrcpynA 15751->15756 15751->15757 15752->15749 15753 40e68c lstrcmpA 15752->15753 15753->15752 15754->15261 15755 40e71d lstrcmpA 15755->15757 15756->15757 15757->15754 15757->15755 15758->15267 15760 40c525 15759->15760 15761 40c532 15759->15761 15760->15761 15763 40ec2e codecvt 4 API calls 15760->15763 15762 40c548 15761->15762 15907 40e7ff 15761->15907 15765 40e7ff lstrcmpiA 15762->15765 15773 40c54f 15762->15773 15763->15761 15766 40c615 15765->15766 15767 40ebcc 4 API calls 15766->15767 15766->15773 15767->15773 15768 40c5d1 15771 40ebcc 4 API calls 15768->15771 15770 40e819 11 API calls 15772 40c5b7 15770->15772 15771->15773 15774 40f04e 4 API calls 15772->15774 15773->15280 15775 40c5bf 15774->15775 15775->15762 15775->15768 15777 40f315 14 API calls 15776->15777 15778 40ca1d 15777->15778 15778->15295 15783 40f43e 15778->15783 15781 40c8d2 15779->15781 15780 40c907 15780->15282 15781->15780 15782 40c517 23 API calls 15781->15782 15782->15780 15784 40f473 recv 15783->15784 15785 40f47c 15784->15785 15786 40f458 15784->15786 15785->15298 15786->15784 15786->15785 15788 40c670 15787->15788 15789 40c67d 15787->15789 15790 40ebcc 4 API calls 15788->15790 15791 40ebcc 4 API calls 15789->15791 15793 40c699 15789->15793 15790->15789 15791->15793 15792 40c6f3 15792->15311 15792->15345 15793->15792 15794 40c73c send 15793->15794 15794->15792 15796 40c770 15795->15796 15797 40c77d 15795->15797 15799 40ebcc 4 API calls 15796->15799 15798 40c799 15797->15798 15800 40ebcc 4 API calls 15797->15800 15801 40c7b5 15798->15801 15802 40ebcc 4 API calls 15798->15802 15799->15797 15800->15798 15803 40f43e recv 15801->15803 15802->15801 15804 40c7cb 15803->15804 15805 40f43e recv 15804->15805 15806 40c7d3 15804->15806 15805->15806 15806->15345 15910 407db7 15807->15910 15810 40f04e 4 API calls 15813 407e4c 15810->15813 15811 407e96 15811->15345 15812 40f04e 4 API calls 15812->15811 15814 40f04e 4 API calls 15813->15814 15815 407e70 15813->15815 15814->15815 15815->15811 15815->15812 15817 406ec3 2 API calls 15816->15817 15818 407fdd 15817->15818 15819 4073ff 17 API calls 15818->15819 15828 4080c2 CreateProcessA 15818->15828 15820 407fff 15819->15820 15821 407809 21 API calls 15820->15821 15820->15828 15822 40804d 15821->15822 15823 40ef1e lstrlenA 15822->15823 15822->15828 15824 40809e 15823->15824 15825 40ef1e lstrlenA 15824->15825 15826 4080af 15825->15826 15827 407a95 24 API calls 15826->15827 15827->15828 15828->15364 15828->15365 15830 407db7 2 API calls 15829->15830 15831 407eb8 15830->15831 15832 40f04e 4 API calls 15831->15832 15833 407ece DeleteFileA 15832->15833 15833->15345 15835 40dd05 6 API calls 15834->15835 15836 40e31d 15835->15836 15914 40e177 15836->15914 15838 40e326 15838->15335 15840 4031f3 15839->15840 15850 4031ec 15839->15850 15841 40ebcc 4 API calls 15840->15841 15855 4031fc 15841->15855 15842 40344b 15843 403459 15842->15843 15844 40349d 15842->15844 15846 40f04e 4 API calls 15843->15846 15845 40ec2e codecvt 4 API calls 15844->15845 15845->15850 15847 40345f 15846->15847 15849 4030fa 4 API calls 15847->15849 15848 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15848->15855 15849->15850 15850->15345 15851 40344d 15852 40ec2e codecvt 4 API calls 15851->15852 15852->15842 15853 4030fa 4 API calls 15853->15855 15854 403141 lstrcmpiA 15854->15855 15855->15842 15855->15848 15855->15850 15855->15851 15855->15853 15855->15854 15857 4030fa 4 API calls 15856->15857 15858 403c1a 15857->15858 15862 403ce6 15858->15862 15940 403a72 15858->15940 15861 403a72 9 API calls 15865 403c5e 15861->15865 15862->15345 15863 403a72 9 API calls 15863->15865 15864 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15864->15865 15865->15862 15865->15863 15865->15864 15867 403a10 15866->15867 15868 4030fa 4 API calls 15867->15868 15869 403a1a 15868->15869 15869->15345 15871 40dd05 6 API calls 15870->15871 15872 40e7be 15871->15872 15872->15345 15874 40c105 15873->15874 15875 40c07e wsprintfA 15873->15875 15874->15345 15949 40bfce GetTickCount wsprintfA 15875->15949 15877 40c0ef 15950 40bfce GetTickCount wsprintfA 15877->15950 15880 406f88 LookupAccountNameA 15879->15880 15881 407047 15879->15881 15883 407025 15880->15883 15884 406fcb 15880->15884 15881->15345 15885 406edd 5 API calls 15883->15885 15886 406fdb ConvertSidToStringSidA 15884->15886 15887 40702a wsprintfA 15885->15887 15886->15883 15888 406ff1 15886->15888 15887->15881 15889 407013 LocalFree 15888->15889 15889->15883 15891 40dd05 6 API calls 15890->15891 15892 40e85c 15891->15892 15893 40dd84 lstrcmpiA 15892->15893 15894 40e867 15893->15894 15895 40e885 lstrcpyA 15894->15895 15951 4024a5 15894->15951 15954 40dd69 15895->15954 15901 407db7 2 API calls 15900->15901 15902 407de1 15901->15902 15903 40f04e 4 API calls 15902->15903 15906 407e16 15902->15906 15904 407df2 15903->15904 15905 40f04e 4 API calls 15904->15905 15904->15906 15905->15906 15906->15345 15908 40dd84 lstrcmpiA 15907->15908 15909 40c58e 15908->15909 15909->15762 15909->15768 15909->15770 15911 407dc8 InterlockedExchange 15910->15911 15912 407dc0 Sleep 15911->15912 15913 407dd4 15911->15913 15912->15911 15913->15810 15913->15815 15915 40e184 15914->15915 15916 40e2e4 15915->15916 15917 40e223 15915->15917 15930 40dfe2 15915->15930 15916->15838 15917->15916 15919 40dfe2 8 API calls 15917->15919 15923 40e23c 15919->15923 15920 40e1be 15920->15917 15921 40dbcf 3 API calls 15920->15921 15924 40e1d6 15921->15924 15922 40e21a CloseHandle 15922->15917 15923->15916 15934 40e095 RegCreateKeyExA 15923->15934 15924->15917 15924->15922 15925 40e1f9 WriteFile 15924->15925 15925->15922 15927 40e213 15925->15927 15927->15922 15928 40e2a3 15928->15916 15929 40e095 4 API calls 15928->15929 15929->15916 15931 40dffc 15930->15931 15933 40e024 15930->15933 15932 40db2e 8 API calls 15931->15932 15931->15933 15932->15933 15933->15920 15935 40e172 15934->15935 15938 40e0c0 15934->15938 15935->15928 15936 40e13d 15937 40e14e RegDeleteValueA RegCloseKey 15936->15937 15937->15935 15938->15936 15939 40e115 RegSetValueExA 15938->15939 15939->15936 15939->15938 15941 40f04e 4 API calls 15940->15941 15948 403a83 15941->15948 15942 403ac1 15942->15861 15942->15862 15943 403be6 15944 40ec2e codecvt 4 API calls 15943->15944 15944->15942 15945 403bc0 15945->15943 15946 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15945->15946 15946->15945 15947 403b66 lstrlenA 15947->15942 15947->15948 15948->15942 15948->15945 15948->15947 15949->15877 15950->15874 15952 402419 4 API calls 15951->15952 15953 4024b6 15952->15953 15953->15895 15955 40dd79 lstrlenA 15954->15955 15955->15345 15957 404084 15956->15957 15958 40407d 15956->15958 15959 403ecd 6 API calls 15957->15959 15960 40408f 15959->15960 15961 404000 3 API calls 15960->15961 15963 404095 15961->15963 15962 404130 15964 403ecd 6 API calls 15962->15964 15963->15962 15968 403f18 4 API calls 15963->15968 15965 404159 CreateNamedPipeA 15964->15965 15966 404167 Sleep 15965->15966 15967 404188 ConnectNamedPipe 15965->15967 15966->15962 15969 404176 CloseHandle 15966->15969 15971 404195 GetLastError 15967->15971 15981 4041ab 15967->15981 15970 4040da 15968->15970 15969->15967 15972 403f8c 4 API calls 15970->15972 15973 40425e DisconnectNamedPipe 15971->15973 15971->15981 15974 4040ec 15972->15974 15973->15967 15975 404127 CloseHandle 15974->15975 15976 404101 15974->15976 15975->15962 15977 403f18 4 API calls 15976->15977 15979 40411c ExitProcess 15977->15979 15978 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15978->15981 15980 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15980->15981 15981->15967 15981->15973 15981->15978 15981->15980 15982 40426a CloseHandle CloseHandle 15981->15982 15983 40e318 23 API calls 15982->15983 15984 40427b 15983->15984 15984->15984 15986 408791 15985->15986 15987 40879f 15985->15987 15988 40f04e 4 API calls 15986->15988 15989 4087bc 15987->15989 15990 40f04e 4 API calls 15987->15990 15988->15987 15991 40e819 11 API calls 15989->15991 15990->15989 15992 4087d7 15991->15992 16005 408803 15992->16005 16007 4026b2 gethostbyaddr 15992->16007 15995 4087eb 15997 40e8a1 30 API calls 15995->15997 15995->16005 15997->16005 16000 40e819 11 API calls 16000->16005 16001 4088a0 Sleep 16001->16005 16003 4026b2 2 API calls 16003->16005 16004 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16004->16005 16005->16000 16005->16001 16005->16003 16005->16004 16006 40e8a1 30 API calls 16005->16006 16012 408cee 16005->16012 16020 40c4d6 16005->16020 16023 40c4e2 16005->16023 16026 402011 16005->16026 16061 408328 16005->16061 16006->16005 16008 4026fb 16007->16008 16009 4026cd 16007->16009 16008->15995 16010 4026e1 inet_ntoa 16009->16010 16011 4026de 16009->16011 16010->16011 16011->15995 16013 408d02 GetTickCount 16012->16013 16014 408dae 16012->16014 16013->16014 16018 408d19 16013->16018 16014->16005 16015 408da1 GetTickCount 16015->16014 16017 40a688 GetTickCount 16017->16018 16018->16015 16018->16017 16019 408d89 16018->16019 16113 40a677 16018->16113 16019->16015 16116 40c2dc 16020->16116 16024 40c2dc 141 API calls 16023->16024 16025 40c4ec 16024->16025 16025->16005 16027 402020 16026->16027 16028 40202e 16026->16028 16029 40f04e 4 API calls 16027->16029 16030 40204b 16028->16030 16031 40f04e 4 API calls 16028->16031 16029->16028 16032 40206e GetTickCount 16030->16032 16033 40f04e 4 API calls 16030->16033 16031->16030 16034 4020db GetTickCount 16032->16034 16043 402090 16032->16043 16038 402068 16033->16038 16036 402132 GetTickCount GetTickCount 16034->16036 16037 4020e7 16034->16037 16035 4020d4 GetTickCount 16035->16034 16039 40f04e 4 API calls 16036->16039 16040 40212b GetTickCount 16037->16040 16050 401978 15 API calls 16037->16050 16056 402125 16037->16056 16196 402ef8 16037->16196 16038->16032 16042 402159 16039->16042 16040->16036 16041 402684 2 API calls 16041->16043 16046 40e854 13 API calls 16042->16046 16055 4021b4 16042->16055 16043->16035 16043->16041 16052 4020ce 16043->16052 16191 401978 16043->16191 16045 40f04e 4 API calls 16048 4021d1 16045->16048 16049 40218e 16046->16049 16053 40ea84 30 API calls 16048->16053 16060 4021f2 16048->16060 16051 40e819 11 API calls 16049->16051 16050->16037 16054 40219c 16051->16054 16052->16035 16057 4021ec 16053->16057 16054->16055 16204 401c5f 16054->16204 16055->16045 16056->16040 16058 40f04e 4 API calls 16057->16058 16058->16060 16060->16005 16062 407dd6 6 API calls 16061->16062 16063 40833c 16062->16063 16064 406ec3 2 API calls 16063->16064 16072 408340 16063->16072 16065 40834f 16064->16065 16066 40835c 16065->16066 16070 40846b 16065->16070 16067 4073ff 17 API calls 16066->16067 16084 408373 16067->16084 16068 4085df 16071 408626 GetTempPathA 16068->16071 16075 408638 16068->16075 16081 408762 16068->16081 16069 40675c 21 API calls 16069->16068 16073 4084a7 RegOpenKeyExA 16070->16073 16099 408450 16070->16099 16071->16075 16072->16005 16076 4084c0 RegQueryValueExA 16073->16076 16077 40852f 16073->16077 16276 406ba7 IsBadCodePtr 16075->16276 16079 408521 RegCloseKey 16076->16079 16080 4084dd 16076->16080 16082 408564 RegOpenKeyExA 16077->16082 16089 4085a5 16077->16089 16078 4086ad 16078->16081 16083 407e2f 6 API calls 16078->16083 16079->16077 16080->16079 16088 40ebcc 4 API calls 16080->16088 16081->16072 16087 40ec2e codecvt 4 API calls 16081->16087 16085 408573 RegSetValueExA RegCloseKey 16082->16085 16082->16089 16090 4086bb 16083->16090 16084->16072 16093 4083ea RegOpenKeyExA 16084->16093 16084->16099 16085->16089 16086 40875b DeleteFileA 16086->16081 16087->16072 16092 4084f0 16088->16092 16095 40ec2e codecvt 4 API calls 16089->16095 16089->16099 16090->16086 16100 4086e0 lstrcpyA lstrlenA 16090->16100 16092->16079 16094 4084f8 RegQueryValueExA 16092->16094 16096 4083fd RegQueryValueExA 16093->16096 16093->16099 16094->16079 16097 408515 16094->16097 16095->16099 16101 40842d RegSetValueExA 16096->16101 16102 40841e 16096->16102 16098 40ec2e codecvt 4 API calls 16097->16098 16103 40851d 16098->16103 16099->16068 16099->16069 16104 407fcf 64 API calls 16100->16104 16105 408447 RegCloseKey 16101->16105 16102->16101 16102->16105 16103->16079 16106 408719 CreateProcessA 16104->16106 16105->16099 16107 40873d CloseHandle CloseHandle 16106->16107 16108 40874f 16106->16108 16107->16081 16109 407ee6 64 API calls 16108->16109 16110 408754 16109->16110 16111 407ead 6 API calls 16110->16111 16112 40875a 16111->16112 16112->16086 16114 40a63d GetTickCount 16113->16114 16115 40a685 16114->16115 16115->16018 16117 40a4c7 4 API calls 16116->16117 16118 40c2e9 16117->16118 16119 40c300 GetTickCount 16118->16119 16120 40c326 16118->16120 16131 40c45e 16118->16131 16121 40c337 16119->16121 16120->16121 16124 40c32b GetTickCount 16120->16124 16126 40c363 GetTickCount 16121->16126 16121->16131 16122 40c4d2 16122->16005 16123 40c4ab InterlockedIncrement CreateThread 16123->16122 16125 40c4cb CloseHandle 16123->16125 16132 40b535 16123->16132 16124->16121 16125->16122 16127 40c373 16126->16127 16126->16131 16128 40c378 GetTickCount 16127->16128 16129 40c37f 16127->16129 16128->16129 16130 40c43b GetTickCount 16129->16130 16130->16131 16131->16122 16131->16123 16133 40b566 16132->16133 16134 40ebcc 4 API calls 16133->16134 16135 40b587 16134->16135 16136 40ebcc 4 API calls 16135->16136 16156 40b590 16136->16156 16137 40bdcd InterlockedDecrement 16138 40bde2 16137->16138 16140 40ec2e codecvt 4 API calls 16138->16140 16139 403e10 4 API calls 16139->16156 16141 40bdea 16140->16141 16142 40ec2e codecvt 4 API calls 16141->16142 16144 40bdf2 16142->16144 16143 40bdb7 Sleep 16143->16156 16145 40be05 16144->16145 16147 40ec2e codecvt 4 API calls 16144->16147 16146 40bdcc 16146->16137 16147->16145 16148 40ebed 8 API calls 16148->16156 16149 403e4f 4 API calls 16149->16156 16150 40384f 12 API calls 16150->16156 16151 40b6b6 lstrlenA 16151->16156 16185 40b740 16151->16185 16152 4030b5 2 API calls 16152->16185 16153 40b6ed lstrcpyA 16155 405ce1 22 API calls 16153->16155 16154 40e819 11 API calls 16154->16185 16155->16156 16156->16137 16156->16139 16156->16146 16156->16148 16156->16149 16156->16150 16156->16151 16156->16153 16158 40b731 lstrlenA 16156->16158 16159 40b71f lstrcmpA 16156->16159 16156->16185 16157 40a7a3 inet_ntoa 16157->16185 16158->16156 16158->16185 16159->16158 16159->16185 16160 40b772 GetTickCount 16160->16185 16161 40bd49 InterlockedIncrement 16163 40a628 4 API calls 16161->16163 16162 40abee 34 API calls 16162->16185 16163->16185 16164 40bc5b InterlockedIncrement 16164->16156 16165 40b7ce InterlockedIncrement 16167 40acd7 14 API calls 16165->16167 16167->16185 16168 40b912 GetTickCount 16168->16185 16169 40b826 InterlockedIncrement 16169->16160 16170 40b932 GetTickCount 16172 40bc6d InterlockedIncrement 16170->16172 16170->16185 16171 40bcdc closesocket 16171->16185 16172->16185 16173 4038f0 6 API calls 16173->16185 16174 40ab81 2 API calls 16176 40bd1a GetTickCount 16174->16176 16175 40bba6 InterlockedIncrement 16175->16185 16180 40a51d 6 API calls 16176->16180 16177 40a7c1 22 API calls 16177->16185 16178 403cfb 4 API calls 16178->16185 16179 40bc4c closesocket 16179->16185 16180->16185 16181 405ce1 22 API calls 16181->16185 16182 40ba71 wsprintfA 16186 40a7c1 22 API calls 16182->16186 16183 405ded 12 API calls 16183->16185 16184 40b3c5 42 API calls 16184->16185 16185->16143 16185->16152 16185->16154 16185->16157 16185->16160 16185->16161 16185->16162 16185->16164 16185->16165 16185->16168 16185->16169 16185->16170 16185->16171 16185->16173 16185->16174 16185->16175 16185->16177 16185->16178 16185->16179 16185->16181 16185->16182 16185->16183 16185->16184 16187 40ab81 lstrcpynA InterlockedIncrement 16185->16187 16188 40ef1e lstrlenA 16185->16188 16189 40a688 GetTickCount 16185->16189 16190 401feb GetTickCount 16185->16190 16186->16185 16187->16185 16188->16185 16189->16185 16190->16185 16192 40f428 14 API calls 16191->16192 16193 40198a 16192->16193 16194 401990 closesocket 16193->16194 16195 401998 16193->16195 16194->16195 16195->16043 16197 402d21 6 API calls 16196->16197 16198 402f01 16197->16198 16201 402f0f 16198->16201 16212 402df2 GetModuleHandleA 16198->16212 16199 402684 2 API calls 16202 402f1d 16199->16202 16201->16199 16203 402f1f 16201->16203 16202->16037 16203->16037 16205 401c80 16204->16205 16206 401d1c 16205->16206 16207 401cc2 wsprintfA 16205->16207 16210 401d79 16205->16210 16209 401d47 wsprintfA 16206->16209 16208 402684 2 API calls 16207->16208 16208->16205 16211 402684 2 API calls 16209->16211 16210->16055 16211->16210 16213 402e10 LoadLibraryA 16212->16213 16214 402e0b 16212->16214 16215 402e17 16213->16215 16214->16213 16214->16215 16216 402ef1 16215->16216 16217 402e28 GetProcAddress 16215->16217 16216->16201 16217->16216 16218 402e3e GetProcessHeap HeapAlloc 16217->16218 16220 402e62 16218->16220 16219 402ede GetProcessHeap HeapFree 16219->16216 16220->16216 16220->16219 16221 402e7f htons inet_addr 16220->16221 16222 402ea5 gethostbyname 16220->16222 16224 402ceb 16220->16224 16221->16220 16221->16222 16222->16220 16226 402cf2 16224->16226 16227 402d1c 16226->16227 16228 402d0e Sleep 16226->16228 16229 402a62 GetProcessHeap HeapAlloc 16226->16229 16227->16220 16228->16226 16228->16227 16230 402a92 16229->16230 16231 402a99 socket 16229->16231 16230->16226 16232 402cd3 GetProcessHeap HeapFree 16231->16232 16233 402ab4 16231->16233 16232->16230 16233->16232 16241 402abd 16233->16241 16234 402adb htons 16249 4026ff 16234->16249 16236 402b04 select 16236->16241 16237 402ca4 16238 402cb3 GetProcessHeap HeapFree closesocket 16237->16238 16238->16230 16239 402b3f recv 16239->16241 16240 402b66 htons 16240->16237 16240->16241 16241->16234 16241->16236 16241->16237 16241->16238 16241->16239 16241->16240 16242 402b87 htons 16241->16242 16245 402bf3 GetProcessHeap HeapAlloc 16241->16245 16246 402c17 htons 16241->16246 16248 402c4d GetProcessHeap HeapFree 16241->16248 16256 402923 16241->16256 16268 402904 16241->16268 16242->16237 16242->16241 16245->16241 16264 402871 16246->16264 16248->16241 16250 40271d 16249->16250 16251 402717 16249->16251 16253 40272b GetTickCount htons 16250->16253 16252 40ebcc 4 API calls 16251->16252 16252->16250 16254 4027cc htons htons sendto 16253->16254 16255 40278a 16253->16255 16254->16241 16255->16254 16257 402944 16256->16257 16259 40293d 16256->16259 16272 402816 htons 16257->16272 16259->16241 16260 402871 htons 16261 402950 16260->16261 16261->16259 16261->16260 16262 4029bd htons htons htons 16261->16262 16262->16259 16263 4029f6 GetProcessHeap HeapAlloc 16262->16263 16263->16259 16263->16261 16265 4028e3 16264->16265 16267 402889 16264->16267 16265->16241 16266 4028c3 htons 16266->16265 16266->16267 16267->16265 16267->16266 16269 402921 16268->16269 16270 402908 16268->16270 16269->16241 16271 402909 GetProcessHeap HeapFree 16270->16271 16271->16269 16271->16271 16273 40286b 16272->16273 16274 402836 16272->16274 16273->16261 16274->16273 16275 40285c htons 16274->16275 16275->16273 16275->16274 16277 406bc0 16276->16277 16278 406bbc 16276->16278 16279 406bd4 16277->16279 16280 40ebcc 4 API calls 16277->16280 16278->16078 16279->16078 16281 406be4 16280->16281 16281->16279 16282 406c07 CreateFileA 16281->16282 16283 406bfc 16281->16283 16285 406c34 WriteFile 16282->16285 16286 406c2a 16282->16286 16284 40ec2e codecvt 4 API calls 16283->16284 16284->16279 16287 406c49 CloseHandle DeleteFileA 16285->16287 16288 406c5a CloseHandle 16285->16288 16289 40ec2e codecvt 4 API calls 16286->16289 16287->16286 16290 40ec2e codecvt 4 API calls 16288->16290 16289->16279 16290->16279 14469 40b535 14470 40b566 14469->14470 14527 40ebcc GetProcessHeap RtlAllocateHeap 14470->14527 14473 40ebcc 4 API calls 14493 40b590 14473->14493 14474 40bdcd InterlockedDecrement 14475 40bde2 14474->14475 14670 40ec2e 14475->14670 14479 40ec2e codecvt 4 API calls 14481 40bdf2 14479->14481 14480 40bdb7 Sleep 14480->14493 14482 40be05 14481->14482 14484 40ec2e codecvt 4 API calls 14481->14484 14483 40bdcc 14483->14474 14484->14482 14488 40b6b6 lstrlenA 14488->14493 14522 40b740 14488->14522 14490 40b6ed lstrcpyA 14557 405ce1 14490->14557 14493->14474 14493->14483 14493->14488 14493->14490 14495 40b731 lstrlenA 14493->14495 14496 40b71f lstrcmpA 14493->14496 14493->14522 14530 403e10 14493->14530 14533 403e4f 14493->14533 14536 40384f 14493->14536 14548 40ebed 14493->14548 14495->14493 14495->14522 14496->14495 14496->14522 14497 40b772 GetTickCount 14497->14522 14498 40bd49 InterlockedIncrement 14667 40a628 14498->14667 14501 40bc5b InterlockedIncrement 14501->14493 14502 40b7ce InterlockedIncrement 14578 40acd7 14502->14578 14505 40b912 GetTickCount 14505->14522 14506 40b826 InterlockedIncrement 14506->14497 14507 40b932 GetTickCount 14509 40bc6d InterlockedIncrement 14507->14509 14507->14522 14508 40bcdc closesocket 14508->14522 14509->14522 14510 4038f0 6 API calls 14510->14522 14512 40bba6 InterlockedIncrement 14512->14522 14514 40a7c1 22 API calls 14514->14522 14516 40bc4c closesocket 14516->14522 14518 405ce1 22 API calls 14518->14522 14519 40ba71 wsprintfA 14601 40a7c1 14519->14601 14520 405ded 12 API calls 14520->14522 14522->14480 14522->14497 14522->14498 14522->14501 14522->14502 14522->14505 14522->14506 14522->14507 14522->14508 14522->14510 14522->14512 14522->14514 14522->14516 14522->14518 14522->14519 14522->14520 14524 40ab81 lstrcpynA InterlockedIncrement 14522->14524 14565 4030b5 14522->14565 14569 40e819 14522->14569 14576 40a7a3 inet_ntoa 14522->14576 14583 40ef1e lstrlenA 14522->14583 14585 40abee 14522->14585 14597 401feb GetTickCount 14522->14597 14598 40a688 14522->14598 14621 403cfb 14522->14621 14624 40b3c5 14522->14624 14655 40ab81 14522->14655 14524->14522 14675 40eb74 14527->14675 14678 4030fa GetTickCount 14530->14678 14532 403e1d 14532->14493 14534 4030fa 4 API calls 14533->14534 14535 403e5c 14534->14535 14535->14493 14537 4030fa 4 API calls 14536->14537 14538 403863 14537->14538 14539 4038b9 14538->14539 14540 403889 14538->14540 14547 4038b2 14538->14547 14689 4035f9 14539->14689 14683 403718 14540->14683 14545 403718 6 API calls 14545->14547 14546 4035f9 6 API calls 14546->14547 14547->14493 14549 40ec01 14548->14549 14550 40ebf6 14548->14550 14707 40eba0 14549->14707 14551 40ebcc 4 API calls 14550->14551 14553 40ebfe 14551->14553 14553->14493 14555 40eb74 2 API calls 14556 40ec28 14555->14556 14556->14493 14558 405cf4 14557->14558 14559 405cec 14557->14559 14561 404bd1 4 API calls 14558->14561 14710 404bd1 GetTickCount 14559->14710 14562 405d02 14561->14562 14715 405472 14562->14715 14778 40ee2a 14565->14778 14568 4030ed 14568->14522 14780 40dd05 GetTickCount 14569->14780 14571 40e821 14787 40dd84 14571->14787 14574 40e844 14574->14522 14577 40a7b9 14576->14577 14577->14522 14800 40f315 14578->14800 14581 40acff 14581->14522 14582 40f315 14 API calls 14582->14581 14584 40ef32 14583->14584 14584->14522 14586 40abfb 14585->14586 14589 40ac65 14586->14589 14813 402f22 14586->14813 14588 40f315 14 API calls 14588->14589 14589->14588 14590 40ac8a 14589->14590 14591 40ac6f 14589->14591 14590->14522 14593 40ab81 2 API calls 14591->14593 14592 40ac23 14592->14589 14821 402684 14592->14821 14595 40ac81 14593->14595 14825 4038f0 14595->14825 14597->14522 14839 40a63d 14598->14839 14600 40a696 14600->14522 14602 40a87d lstrlenA send 14601->14602 14603 40a7df 14601->14603 14604 40a899 14602->14604 14605 40a8bf 14602->14605 14603->14602 14609 40a7fa wsprintfA 14603->14609 14612 40a80a 14603->14612 14613 40a8f2 14603->14613 14607 40a8a5 wsprintfA 14604->14607 14614 40a89e 14604->14614 14608 40a8c4 send 14605->14608 14605->14613 14606 40a978 recv 14606->14613 14615 40a982 14606->14615 14607->14614 14610 40a8d8 wsprintfA 14608->14610 14608->14613 14609->14612 14610->14614 14611 40a9b0 wsprintfA 14611->14614 14612->14602 14613->14606 14613->14611 14613->14615 14614->14522 14615->14614 14616 4030b5 2 API calls 14615->14616 14617 40ab05 14616->14617 14618 40e819 11 API calls 14617->14618 14619 40ab17 14618->14619 14620 40a7a3 inet_ntoa 14619->14620 14620->14614 14622 4030fa 4 API calls 14621->14622 14623 403d0b 14622->14623 14623->14522 14625 405ce1 22 API calls 14624->14625 14626 40b3e6 14625->14626 14627 405ce1 22 API calls 14626->14627 14629 40b404 14627->14629 14628 40b440 14631 40ef7c 3 API calls 14628->14631 14629->14628 14630 40ef7c 3 API calls 14629->14630 14633 40b42b 14630->14633 14632 40b458 wsprintfA 14631->14632 14634 40ef7c 3 API calls 14632->14634 14635 40ef7c 3 API calls 14633->14635 14636 40b480 14634->14636 14635->14628 14637 40ef7c 3 API calls 14636->14637 14638 40b493 14637->14638 14639 40ef7c 3 API calls 14638->14639 14640 40b4bb 14639->14640 14844 40ad89 GetLocalTime SystemTimeToFileTime 14640->14844 14644 40b4cc 14645 40ef7c 3 API calls 14644->14645 14646 40b4dd 14645->14646 14647 40b211 7 API calls 14646->14647 14648 40b4ec 14647->14648 14649 40ef7c 3 API calls 14648->14649 14650 40b4fd 14649->14650 14651 40b211 7 API calls 14650->14651 14652 40b509 14651->14652 14653 40ef7c 3 API calls 14652->14653 14654 40b51a 14653->14654 14654->14522 14656 40abe9 GetTickCount 14655->14656 14658 40ab8c 14655->14658 14660 40a51d 14656->14660 14657 40aba8 lstrcpynA 14657->14658 14658->14656 14658->14657 14659 40abe1 InterlockedIncrement 14658->14659 14659->14658 14876 40a4c7 GetTickCount 14660->14876 14663 40a542 GetTickCount 14665 40a539 GetTickCount 14663->14665 14666 40a56c 14665->14666 14666->14522 14668 40a4c7 4 API calls 14667->14668 14669 40a633 14668->14669 14669->14522 14671 40ec37 14670->14671 14672 40bdea 14670->14672 14673 40eba0 codecvt 2 API calls 14671->14673 14672->14479 14674 40ec3d GetProcessHeap HeapFree 14673->14674 14674->14672 14676 40eb7b GetProcessHeap HeapSize 14675->14676 14677 40b587 14675->14677 14676->14677 14677->14473 14679 403122 InterlockedExchange 14678->14679 14680 40312e 14679->14680 14681 40310f GetTickCount 14679->14681 14680->14532 14681->14680 14682 40311a Sleep 14681->14682 14682->14679 14695 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 14683->14695 14685 403847 14685->14545 14685->14547 14686 40372a 14686->14685 14687 4037b3 GetCurrentThreadId 14686->14687 14687->14686 14688 4037c8 GetCurrentThreadId 14687->14688 14688->14686 14690 40f04e 4 API calls 14689->14690 14691 40360c 14690->14691 14692 4036da GetCurrentThreadId 14691->14692 14693 4036f1 14691->14693 14692->14693 14694 4036e5 GetCurrentThreadId 14692->14694 14693->14546 14693->14547 14694->14693 14698 40eb41 14695->14698 14697 40f0b7 14697->14686 14699 40eb4a 14698->14699 14702 40eb61 14698->14702 14703 40eae4 14699->14703 14701 40eb54 14701->14697 14701->14702 14702->14697 14704 40eb02 GetProcAddress 14703->14704 14705 40eaed LoadLibraryA 14703->14705 14704->14701 14705->14704 14706 40eb01 14705->14706 14706->14701 14708 40eba7 GetProcessHeap HeapSize 14707->14708 14709 40ebbf GetProcessHeap HeapReAlloc 14707->14709 14708->14709 14709->14555 14711 404bff InterlockedExchange 14710->14711 14712 404c08 14711->14712 14713 404bec GetTickCount 14711->14713 14712->14558 14713->14712 14714 404bf7 Sleep 14713->14714 14714->14711 14734 404763 14715->14734 14717 405b58 14744 404699 14717->14744 14720 404763 lstrlenA 14721 405b6e 14720->14721 14765 404f9f 14721->14765 14723 405b79 14723->14493 14724 404ae6 8 API calls 14732 40548a 14724->14732 14726 405549 lstrlenA 14726->14732 14728 40558d lstrcpynA 14728->14732 14729 405a9f lstrcpyA 14729->14732 14730 405935 lstrcpynA 14730->14732 14731 405472 13 API calls 14731->14732 14732->14717 14732->14724 14732->14728 14732->14729 14732->14730 14732->14731 14733 4058e7 lstrcpyA 14732->14733 14738 404ae6 14732->14738 14742 40ef7c lstrlenA lstrlenA lstrlenA 14732->14742 14733->14732 14736 40477a 14734->14736 14735 404859 14735->14732 14736->14735 14737 40480d lstrlenA 14736->14737 14737->14736 14739 404af3 14738->14739 14741 404b03 14738->14741 14740 40ebed 8 API calls 14739->14740 14740->14741 14741->14726 14743 40efb4 14742->14743 14743->14732 14770 4045b3 14744->14770 14747 4045b3 7 API calls 14748 4046c6 14747->14748 14749 4045b3 7 API calls 14748->14749 14750 4046d8 14749->14750 14751 4045b3 7 API calls 14750->14751 14752 4046ea 14751->14752 14753 4045b3 7 API calls 14752->14753 14754 4046ff 14753->14754 14755 4045b3 7 API calls 14754->14755 14756 404711 14755->14756 14757 4045b3 7 API calls 14756->14757 14758 404723 14757->14758 14759 40ef7c 3 API calls 14758->14759 14760 404735 14759->14760 14761 40ef7c 3 API calls 14760->14761 14762 40474a 14761->14762 14763 40ef7c 3 API calls 14762->14763 14764 40475c 14763->14764 14764->14720 14766 404fac 14765->14766 14769 404fb0 14765->14769 14766->14723 14767 404ffd 14767->14723 14768 404fd5 IsBadCodePtr 14768->14769 14769->14767 14769->14768 14771 4045c1 14770->14771 14772 4045c8 14770->14772 14773 40ebcc 4 API calls 14771->14773 14774 40ebcc 4 API calls 14772->14774 14776 4045e1 14772->14776 14773->14772 14774->14776 14775 404691 14775->14747 14776->14775 14777 40ef7c 3 API calls 14776->14777 14777->14776 14779 4030d0 gethostname gethostbyname 14778->14779 14779->14568 14781 40dd41 InterlockedExchange 14780->14781 14782 40dd20 GetCurrentThreadId 14781->14782 14783 40dd4a 14781->14783 14784 40dd53 GetCurrentThreadId 14782->14784 14785 40dd2e GetTickCount 14782->14785 14783->14784 14784->14571 14785->14783 14786 40dd39 Sleep 14785->14786 14786->14781 14788 40ddc5 14787->14788 14789 40dd96 14787->14789 14788->14574 14791 402480 14788->14791 14789->14788 14790 40ddad lstrcmpiA 14789->14790 14790->14788 14790->14789 14794 402419 lstrlenA 14791->14794 14793 402491 14793->14574 14795 402474 14794->14795 14796 40243d lstrlenA 14794->14796 14795->14793 14797 402464 lstrlenA 14796->14797 14798 40244e lstrcmpiA 14796->14798 14797->14795 14797->14796 14798->14797 14799 40245c 14798->14799 14799->14795 14799->14797 14801 40aceb 14800->14801 14802 40f33b 14800->14802 14801->14581 14801->14582 14803 40f347 htons socket 14802->14803 14804 40f382 ioctlsocket 14803->14804 14805 40f374 closesocket 14803->14805 14806 40f3aa connect select 14804->14806 14807 40f39d 14804->14807 14805->14801 14806->14801 14809 40f3f2 __WSAFDIsSet 14806->14809 14808 40f39f closesocket 14807->14808 14808->14801 14809->14808 14810 40f403 ioctlsocket 14809->14810 14812 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 14810->14812 14812->14801 14832 402d21 GetModuleHandleA 14813->14832 14816 402fcf GetProcessHeap HeapFree 14820 402f44 14816->14820 14817 402f4f 14819 402f6b GetProcessHeap HeapFree 14817->14819 14818 402f85 14818->14816 14819->14820 14820->14592 14822 402692 inet_addr 14821->14822 14823 40268e 14821->14823 14822->14823 14824 40269e gethostbyname 14822->14824 14823->14592 14824->14823 14826 403900 14825->14826 14827 403980 14825->14827 14828 4030fa 4 API calls 14826->14828 14827->14590 14831 40390a 14828->14831 14829 40391b GetCurrentThreadId 14829->14831 14830 403939 GetCurrentThreadId 14830->14831 14831->14827 14831->14829 14831->14830 14833 402d46 LoadLibraryA 14832->14833 14834 402d5b GetProcAddress 14832->14834 14833->14834 14837 402d54 14833->14837 14835 402d6b 14834->14835 14834->14837 14836 402d97 GetProcessHeap HeapAlloc 14835->14836 14835->14837 14838 402db5 lstrcpynA 14835->14838 14836->14835 14836->14837 14837->14817 14837->14818 14837->14820 14838->14835 14840 40a645 14839->14840 14841 40a64d 14839->14841 14840->14600 14842 40a66e 14841->14842 14843 40a65e GetTickCount 14841->14843 14842->14600 14843->14842 14845 40adbf 14844->14845 14869 40ad08 gethostname 14845->14869 14848 4030b5 2 API calls 14849 40add3 14848->14849 14850 40a7a3 inet_ntoa 14849->14850 14858 40ade4 14849->14858 14850->14858 14851 40ae85 wsprintfA 14852 40ef7c 3 API calls 14851->14852 14853 40aebb 14852->14853 14855 40ef7c 3 API calls 14853->14855 14854 40ae36 wsprintfA wsprintfA 14856 40ef7c 3 API calls 14854->14856 14857 40aed2 14855->14857 14856->14858 14859 40b211 14857->14859 14858->14851 14858->14854 14860 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 14859->14860 14861 40b2af GetLocalTime 14859->14861 14862 40b2d2 14860->14862 14861->14862 14863 40b2d9 SystemTimeToFileTime 14862->14863 14864 40b31c GetTimeZoneInformation 14862->14864 14865 40b2ec 14863->14865 14866 40b33a wsprintfA 14864->14866 14867 40b312 FileTimeToSystemTime 14865->14867 14866->14644 14867->14864 14870 40ad71 14869->14870 14875 40ad26 lstrlenA 14869->14875 14872 40ad85 14870->14872 14873 40ad79 lstrcpyA 14870->14873 14872->14848 14873->14872 14874 40ad68 lstrlenA 14874->14870 14875->14870 14875->14874 14877 40a4f7 InterlockedExchange 14876->14877 14878 40a500 14877->14878 14879 40a4e4 GetTickCount 14877->14879 14878->14663 14878->14665 14879->14878 14880 40a4ef Sleep 14879->14880 14880->14877

                                                                      Executed Functions

                                                                      Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                      • API String ID: 2089075347-2824936573
                                                                      • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                      • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                      Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 521 4094b9-4094f9 call 402544 RegOpenKeyExA 514->521 522 40962f-409632 514->522 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 530 409502-40952e call 402544 RegQueryValueExA 521->530 531 4094fb-409500 521->531 524 409634-409637 522->524 528 409639-40964a call 401820 524->528 529 40967b-409682 524->529 540 40964c-409662 528->540 541 40966d-409679 528->541 533 409683 call 4091eb 529->533 549 409530-409537 530->549 550 409539-409565 call 402544 RegQueryValueExA 530->550 536 40957a-40957f 531->536 544 409688-409690 533->544 545 409581-409584 536->545 546 40958a-40958d 536->546 547 409664-40966b 540->547 548 40962b-40962d 540->548 541->533 552 409692 544->552 553 409698-4096a0 544->553 545->524 545->546 546->529 554 409593-40959a 546->554 547->548 558 4096a2-4096a9 548->558 555 40956e-409577 RegCloseKey 549->555 550->555 566 409567 550->566 552->553 553->558 559 40961a-40961f 554->559 560 40959c-4095a1 554->560 555->536 564 409625 559->564 560->559 561 4095a3-4095c0 call 40f0e4 560->561 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->548 566->555 570->558 574 4095e1-4095f9 570->574 571->564 574->558 575 4095ff-409607 574->575 575->558
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                      • API String ID: 3696105349-2220793183
                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                      Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 FindCloseChangeNotification 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->618 636->637 637->618
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1251348514-2980165447
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                      Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                      Function 005D2DFF Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 843 5d2dff-5d2e18 844 5d2e1a-5d2e1c 843->844 845 5d2e1e 844->845 846 5d2e23-5d2e2f CreateToolhelp32Snapshot 844->846 845->846 847 5d2e3f-5d2e4c Module32First 846->847 848 5d2e31-5d2e37 846->848 849 5d2e4e-5d2e4f call 5d2abe 847->849 850 5d2e55-5d2e5d 847->850 848->847 853 5d2e39-5d2e3d 848->853 854 5d2e54 849->854 853->844 853->847 854->850
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005D2E27
                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 005D2E47
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134977363.00000000005CE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005CE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5ce000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3833638111-0
                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction ID: 65df27b692b95a0eee10df01b5295090772c10f42ec0e537a0189985e14cc98a
                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction Fuzzy Hash: 42F0C2321003106BD7302AF9A88CB7BBBECFF58721F10012BE652962C0DB70EC058A61
                                                                      Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 859 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocateSize
                                                                      • String ID:
                                                                      • API String ID: 2559512979-0
                                                                      • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                      • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                      Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 3433985886-3108538426
                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                      Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 448 407258 436->448 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 448->437 458 4072dd-4072f4 call 40ed23 451->458 459 4072cd-4072d8 RegCloseKey 451->459 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->404 454->453 463 407301 458->463 464 4072f6-4072ff 458->464 459->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 475 4073d5-4073e2 RegCloseKey 469->475 476 40735f-407365 469->476 470->453 471->470 479 4073f2-4073f7 475->479 480 4073e4-4073f1 call 40ef00 475->480 476->475 478 407367-407370 476->478 478->475 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->475 493->492
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                      • RegEnumValueA.KERNELBASE(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                      • RegCloseKey.KERNELBASE(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                      • API String ID: 4293430545-98143240
                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                      Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 FindCloseChangeNotification 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 608 406900-40690b SetFilePointer 598->608 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 607 4068d0 606->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->588 610->609 611 406922-406958 610->611 611->588
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,76230F10,00000000), ref: 00406971
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                      • String ID:
                                                                      • API String ID: 1400801100-0
                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                      Function 020A003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 640 20a003c-20a0047 641 20a0049 640->641 642 20a004c-20a0263 call 20a0a3f call 20a0e0f call 20a0d90 VirtualAlloc 640->642 641->642 657 20a028b-20a0292 642->657 658 20a0265-20a0289 call 20a0a69 642->658 660 20a02a1-20a02b0 657->660 662 20a02ce-20a03c2 VirtualProtect call 20a0cce call 20a0ce7 658->662 660->662 663 20a02b2-20a02cc 660->663 669 20a03d1-20a03e0 662->669 663->660 670 20a0439-20a04b8 VirtualFree 669->670 671 20a03e2-20a0437 call 20a0ce7 669->671 673 20a04be-20a04cd 670->673 674 20a05f4-20a05fe 670->674 671->669 676 20a04d3-20a04dd 673->676 677 20a077f-20a0789 674->677 678 20a0604-20a060d 674->678 676->674 682 20a04e3-20a0505 LoadLibraryA 676->682 680 20a078b-20a07a3 677->680 681 20a07a6-20a07b0 677->681 678->677 683 20a0613-20a0637 678->683 680->681 684 20a086e-20a08be LoadLibraryA 681->684 685 20a07b6-20a07cb 681->685 686 20a0517-20a0520 682->686 687 20a0507-20a0515 682->687 688 20a063e-20a0648 683->688 692 20a08c7-20a08f9 684->692 689 20a07d2-20a07d5 685->689 690 20a0526-20a0547 686->690 687->690 688->677 691 20a064e-20a065a 688->691 693 20a07d7-20a07e0 689->693 694 20a0824-20a0833 689->694 695 20a054d-20a0550 690->695 691->677 696 20a0660-20a066a 691->696 697 20a08fb-20a0901 692->697 698 20a0902-20a091d 692->698 699 20a07e2 693->699 700 20a07e4-20a0822 693->700 704 20a0839-20a083c 694->704 701 20a05e0-20a05ef 695->701 702 20a0556-20a056b 695->702 703 20a067a-20a0689 696->703 697->698 699->694 700->689 701->676 705 20a056f-20a057a 702->705 706 20a056d 702->706 707 20a068f-20a06b2 703->707 708 20a0750-20a077a 703->708 704->684 709 20a083e-20a0847 704->709 715 20a059b-20a05bb 705->715 716 20a057c-20a0599 705->716 706->701 710 20a06ef-20a06fc 707->710 711 20a06b4-20a06ed 707->711 708->688 712 20a084b-20a086c 709->712 713 20a0849 709->713 717 20a074b 710->717 718 20a06fe-20a0748 710->718 711->710 712->704 713->684 723 20a05bd-20a05db 715->723 716->723 717->703 718->717 723->695
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020A024D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: cess$kernel32.dll
                                                                      • API String ID: 4275171209-1230238691
                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction ID: 62dd707202abd75336868c3e5dbfb115dc0fafa5c7c726e13029abd26a9509f9
                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction Fuzzy Hash: 69527B74A01229DFDB64CFA8C994BACBBB1BF09304F5480D9E54DAB351DB30AA84DF14
                                                                      Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4131120076-2980165447
                                                                      • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                      • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                      Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 408151869-2980165447
                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                      Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 752 4069e4-4069fd WriteFile 750->752 751->750 753 4069c0-4069d0 751->753 756 406a4d-406a51 752->756 757 4069ff-406a02 752->757 754 4069d2 753->754 755 4069d5-4069de 753->755 754->755 755->752 759 406a53-406a56 756->759 760 406a59 756->760 757->756 758 406a04-406a08 757->758 761 406a0a-406a0d 758->761 762 406a3c-406a3e 758->762 759->760 763 406a5b-406a5f 760->763 764 406a10-406a2e WriteFile 761->764 762->763 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->763 766->765 767 406a35-406a3a 766->767 767->762 767->764
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID: ,k@
                                                                      • API String ID: 3934441357-1053005162
                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                      Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 772 40930b-40930f 770->772 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 782 40922e-409230 775->782 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 785 409272-40927f 778->785 786 4092dd-4092e1 778->786 779->778 784 409233-409238 782->784 784->784 787 40923a-40923c 784->787 788 409281-409285 785->788 789 40929b-40929e 785->789 790 4092e3-4092e5 786->790 791 4092e7-4092e8 786->791 787->776 788->788 795 409287 788->795 793 4092a0 789->793 794 40928e-409293 789->794 790->791 792 4092ea-4092ef 790->792 791->786 798 4092f1-4092f6 Sleep 792->798 799 4092fc-409302 792->799 800 4092a8-4092ab 793->800 796 409295-409298 794->796 797 409289-40928c 794->797 795->789 796->800 801 40929a 796->801 797->794 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->789 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 809 4092bb 807->809 808->786 810 409310-409324 808->810 809->808 810->772
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-0
                                                                      • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                      • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                      Function 00403718 Relevance: 3.1, APIs: 2, Instructions: 110COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 811 403718-403734 call 40f04e 814 403849-40384e 811->814 815 40373a-40373b 811->815 816 40373c-403747 815->816 817 403847-403848 816->817 818 40374d-403753 816->818 817->814 819 403836-403839 818->819 820 403759-403770 call 403524 818->820 819->817 822 40383b-403841 819->822 824 403826-403830 820->824 825 403776-403780 820->825 822->816 822->817 824->818 824->819 826 40381c-40381e 825->826 827 403824 826->827 828 403785-40378b 826->828 827->824 828->827 829 403791-403796 828->829 830 403798-40379b 829->830 831 40380f-403819 829->831 830->831 832 40379d-4037a0 830->832 831->826 833 4037a3-4037a6 832->833 834 4037b3-4037c6 GetCurrentThreadId 833->834 835 4037a8-4037af 833->835 836 4037d4-4037dd 834->836 837 4037c8-4037d1 GetCurrentThreadId 834->837 835->833 838 4037b1 835->838 839 4037f5-4037f7 836->839 840 4037df-4037ee 836->840 837->836 838->831 842 4037f8-40380c 839->842 841 4037f0-4037f3 840->841 840->842 841->842 842->831
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem
                                                                      • String ID:
                                                                      • API String ID: 2086374402-0
                                                                      • Opcode ID: 5dfcc019ed47ccf545e98633f32ebd9cef86c567c83ccfa17dcce2386541df5a
                                                                      • Instruction ID: c77e3c3662200f4b45311faa76e4ca510bd461b46c102563d7fc0ec12242b992
                                                                      • Opcode Fuzzy Hash: 5dfcc019ed47ccf545e98633f32ebd9cef86c567c83ccfa17dcce2386541df5a
                                                                      • Instruction Fuzzy Hash: 1E415C75D00616EFCB20DF65C4805AEBBF9FF08706B1085BAE856A7791D334AE80CB94
                                                                      Function 020A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 856 20a0e0f-20a0e24 SetErrorMode * 2 857 20a0e2b-20a0e2c 856->857 858 20a0e26 856->858 858->857
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,020A0223,?,?), ref: 020A0E19
                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,020A0223,?,?), ref: 020A0E1E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction ID: 33b567a1a33f63f792c9747ca2383e3da36be57c6f4a5996c5fab058136cccf8
                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction Fuzzy Hash: D9D0123224522CB7DB412AD4DC09BCEBB5CDF09BA6F408021FB0DE9080CBB09A4046EA
                                                                      Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                      • String ID:
                                                                      • API String ID: 1823874839-0
                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                      Function 005D2ABE Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005D2B0F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134977363.00000000005CE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005CE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5ce000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction ID: e577fbc29f1d3fabea633cd358fde7960b03d55f72b96ba81fc215ec2e3cafcf
                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction Fuzzy Hash: A7112B79A00208EFDB01DF98C985E98BFF5AF08351F058095F9489B362D371EA90DF80

                                                                      Non-executed Functions

                                                                      Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                      • API String ID: 562065436-3791576231
                                                                      • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                      • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                      • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                      • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                      Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                      Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                      Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                      Function 00401280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-1839596206
                                                                      • Opcode ID: a0e9a54620e17a19c471557000c2f4691014b1237bb567fcc585c5994024cd6c
                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                      • Opcode Fuzzy Hash: a0e9a54620e17a19c471557000c2f4691014b1237bb567fcc585c5994024cd6c
                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                      Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                      Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                      • select.WS2_32 ref: 00402B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                      Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2404124870-2980165447
                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                      Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                      Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID: *p@
                                                                      • API String ID: 3429775523-2474123842
                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                      Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                      Function 020A65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 020A65F6
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 020A6610
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 020A6631
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 020A6652
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction ID: cb6ad25cb2fbb81a7722e61bf799b7e70cbe1e7a66b366e7971022246c863432
                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction Fuzzy Hash: D5118F71600218BFDB619FB9DC1AF9B3FACEB057A5F044024FA09A7250D7B2DD009AA4
                                                                      Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                      • String ID:
                                                                      • API String ID: 3754425949-0
                                                                      • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                      • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                      Function 020A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .$GetProcAddress.$l
                                                                      • API String ID: 0-2784972518
                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                      • Instruction ID: e5b966f5177895d4a891215d54029842e30c239b6072a214755b45d58e048c9d
                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                      • Instruction Fuzzy Hash: 303139B6910709DFDB11CF99C884BAEBBF6FF48324F55404AD441AB210D771EA45CBA4
                                                                      Function 005D26DC Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134977363.00000000005CE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005CE000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_5ce000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: n&]
                                                                      • API String ID: 0-1795985749
                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                      • Instruction ID: 74d2a5ede717648075ea8e3abb3227dea83363ba27dbfb3d1156254d567540d7
                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                      • Instruction Fuzzy Hash: 741170723401009FDB64DE59DCD1EA677EAFB99360B298056ED04CB311D675EC42C760
                                                                      Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                      Function 020A0D90 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                      • Instruction ID: 831887fff615f53a1c2c35c260c0fa2974eaa716cdb29c84aef25042a810f2bd
                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                      • Instruction Fuzzy Hash: 1201DB776117088FDF21CFA4C814BAA33F6FB86216F8544B5D506D7241E774A941DB90
                                                                      Function 020A9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32 ref: 020A9E6D
                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 020A9FE1
                                                                      • lstrcat.KERNEL32(?,?), ref: 020A9FF2
                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 020AA004
                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 020AA054
                                                                      • DeleteFileA.KERNEL32(?), ref: 020AA09F
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 020AA0D6
                                                                      • lstrcpy.KERNEL32 ref: 020AA12F
                                                                      • lstrlen.KERNEL32(00000022), ref: 020AA13C
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 020A9F13
                                                                        • Part of subcall function 020A7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 020A7081
                                                                        • Part of subcall function 020A6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rftxcrag,020A7043), ref: 020A6F4E
                                                                        • Part of subcall function 020A6F30: GetProcAddress.KERNEL32(00000000), ref: 020A6F55
                                                                        • Part of subcall function 020A6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 020A6F7B
                                                                        • Part of subcall function 020A6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 020A6F92
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 020AA1A2
                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 020AA1C5
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 020AA214
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 020AA21B
                                                                      • GetDriveTypeA.KERNEL32(?), ref: 020AA265
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 020AA29F
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 020AA2C5
                                                                      • lstrcat.KERNEL32(?,00000022), ref: 020AA2D9
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 020AA2F4
                                                                      • wsprintfA.USER32 ref: 020AA31D
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 020AA345
                                                                      • lstrcat.KERNEL32(?,?), ref: 020AA364
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 020AA387
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 020AA398
                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 020AA1D1
                                                                        • Part of subcall function 020A9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 020A999D
                                                                        • Part of subcall function 020A9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 020A99BD
                                                                        • Part of subcall function 020A9966: RegCloseKey.ADVAPI32(?), ref: 020A99C6
                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 020AA3DB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 020AA3E2
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 020AA41D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                      • String ID: "$"$"$D$P$\
                                                                      • API String ID: 1653845638-2605685093
                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction ID: 345476fdb12c07567663f895dd202cf9c58f0bc578d5f07df5a6f900eb2ddf92
                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction Fuzzy Hash: 89F12EB1D4035DAEDF12DBE08C99EEF7BBDAB08304F8484A6E605E2141E7758684DF64
                                                                      Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2976863881-1403908072
                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                      Function 020A7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 020A7D21
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020A7D46
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 020A7D7D
                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 020A7DA2
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 020A7DC0
                                                                      • EqualSid.ADVAPI32(?,?), ref: 020A7DD1
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 020A7DE5
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 020A7DF3
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 020A7E03
                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 020A7E12
                                                                      • LocalFree.KERNEL32(00000000), ref: 020A7E19
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 020A7E35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2976863881-1403908072
                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction ID: 0637db7c9990cf519c47353e6708ccefcffa209ff46348719934da6d2ebb7f3c
                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction Fuzzy Hash: 41A16B71900209AFDF52CFA0DC98FEEBFB9FB08304F44816AE505E6160D7758A84DB64
                                                                      Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                      Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                      Function 020A7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020A7A96
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 020A7ACD
                                                                      • GetLengthSid.ADVAPI32(?), ref: 020A7ADF
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 020A7B01
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 020A7B1F
                                                                      • EqualSid.ADVAPI32(?,?), ref: 020A7B39
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 020A7B4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 020A7B58
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 020A7B68
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 020A7B77
                                                                      • LocalFree.KERNEL32(00000000), ref: 020A7B7E
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 020A7B9A
                                                                      • GetAce.ADVAPI32(?,?,?), ref: 020A7BCA
                                                                      • EqualSid.ADVAPI32(?,?), ref: 020A7BF1
                                                                      • DeleteAce.ADVAPI32(?,?), ref: 020A7C0A
                                                                      • EqualSid.ADVAPI32(?,?), ref: 020A7C2C
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 020A7CB1
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 020A7CBF
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 020A7CD0
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 020A7CE0
                                                                      • LocalFree.KERNEL32(00000000), ref: 020A7CEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: d4f6ae7d1b89637be8473dcf23a6ec6b1efb09bdba51b7ec22e4f717dec1f03f
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: A2814D71900219AFDB12CFE4DD94FEEBBF8AF08304F44817AE505E6160D7759641DBA4
                                                                      Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                      • API String ID: 237177642-1678164370
                                                                      • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                      • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                      Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 835516345-270533642
                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                      Function 020A858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 020A865A
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 020A867B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 020A86A8
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 020A86B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 237177642-3108538426
                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction ID: 9d4e47e9dfae253e2eae7b4b49cc444ac92c217678933ff5f72bc221e5dcfe81
                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction Fuzzy Hash: DEC1C4B1900309BEEB52EBE4DC95EEF7BBDEB04304F548075F504E6050EBB18A94AB65
                                                                      Function 020A14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 020A1601
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 020A17D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $<$@$D
                                                                      • API String ID: 1628651668-1974347203
                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction ID: a442a84df4adc8caf7d1d3a09cdf5d8579a17bf7f4e7e7fe93dfb48c43e0d4f5
                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction Fuzzy Hash: EDF17CB15083419FD721CFA4C898BABF7E5FB88304F80892DF59A972A0D7B4D944CB56
                                                                      Function 020A7666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020A76D9
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 020A7757
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 020A778F
                                                                      • ___ascii_stricmp.LIBCMT ref: 020A78B4
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A794E
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 020A796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A797E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A79AC
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A7A56
                                                                        • Part of subcall function 020AF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,020A772A,?), ref: 020AF414
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 020A79F6
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A7A4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 3433985886-3108538426
                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction ID: 62bda84a10ba7cf96a6639c2855975faa0b81b43f15a49c772ecd50987c6bacc
                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction Fuzzy Hash: EAC1B571900309AFDB529BE4DC54FEEBBF9EF49310F9440A6E504E6160EB719A84DB60
                                                                      Function 020A2CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020A2CED
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 020A2D07
                                                                      • htons.WS2_32(00000000), ref: 020A2D42
                                                                      • select.WS2_32 ref: 020A2D8F
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 020A2DB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 020A2E62
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 127016686-0
                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction ID: 412e430a3b88a70fad87d589bfb8095c6f4033a5f58d33fb7ccbd1c826ac9f99
                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction Fuzzy Hash: A961EF71504305AFC321EFA0DC58BABBBE8FB88745F804829FD8597151D7B5D880EBA6
                                                                      Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                      Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                      Function 020A958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?), ref: 020A95A7
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020A95D5
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 020A95DC
                                                                      • wsprintfA.USER32 ref: 020A9635
                                                                      • wsprintfA.USER32 ref: 020A9673
                                                                      • wsprintfA.USER32 ref: 020A96F4
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 020A9758
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020A978D
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020A97D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3696105349-2980165447
                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction ID: 62c9520377fa85e79f4d849210d7de1b2a0d4281b18f5a9853740010a1bc9257
                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction Fuzzy Hash: 87A149B2A0030CAFEB22DFE0CC95FDE3BADAB04745F904026FA1596151E7B59584DFA4
                                                                      Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-142018493
                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                      Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                      Function 020A1FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 020A202D
                                                                      • GetSystemInfo.KERNEL32(?), ref: 020A204F
                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 020A206A
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 020A2071
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 020A2082
                                                                      • GetTickCount.KERNEL32 ref: 020A2230
                                                                        • Part of subcall function 020A1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 020A1E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                      • API String ID: 4207808166-1391650218
                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction ID: 48b3b098f2e1f3fb972b998b3423a9b0f9b00ffb04360d380e918ee76733cd36
                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction Fuzzy Hash: E251D5B0500348AFE330AFB58C95FA7BAECEF54704F80493DF99682142D7B9A584DB65
                                                                      Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                      Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                      Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                      Function 020A3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 020A3068
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 020A3078
                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 020A3095
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020A30B6
                                                                      • htons.WS2_32(00000035), ref: 020A30EF
                                                                      • inet_addr.WS2_32(?), ref: 020A30FA
                                                                      • gethostbyname.WS2_32(?), ref: 020A310D
                                                                      • HeapFree.KERNEL32(00000000), ref: 020A314D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: iphlpapi.dll
                                                                      • API String ID: 2869546040-3565520932
                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction ID: baa5971caa1a10f735480e3f2a78720f46e18442652965d16afe758e967ab6d7
                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction Fuzzy Hash: E0313831A00706ABCF529BF89C58BAE7BF8EF04324F5441A5F518E7290DB74D581DB58
                                                                      Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 3560063639-3847274415
                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                      Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                      • API String ID: 1082366364-2834986871
                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                      Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2981417381-1403908072
                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                      Function 020A6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 020A67C3
                                                                      • htonl.WS2_32(?), ref: 020A67DF
                                                                      • htonl.WS2_32(?), ref: 020A67EE
                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 020A68F1
                                                                      • ExitProcess.KERNEL32 ref: 020A69BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                      • String ID: except_info$localcfg
                                                                      • API String ID: 1150517154-3605449297
                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction ID: 8320da11aa159f6d68ddd7f0c737b5fccf35bec2514bac9506b598a3b9dc5b53
                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction Fuzzy Hash: 88616C71A40208AFDF609FB4DC45FEA77F9FB08300F148066FA69D2161EB7599909F14
                                                                      Function 020AF57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(020ACC84), ref: 020AF5B4
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 020AF5CE
                                                                      • closesocket.WS2_32(00000000), ref: 020AF5DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction ID: e2aaa832eaffb611bf0f65115c64ab05f541083ae64ac54ad25b05570a415079
                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction Fuzzy Hash: B6318E72900219ABDB11DFA9DC88DEE7BFCEF88350F104566F905D3150E7718A819BE4
                                                                      Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                      • wsprintfA.USER32 ref: 00407036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                      Function 020A2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?), ref: 020A2FA1
                                                                      • LoadLibraryA.KERNEL32(?), ref: 020A2FB1
                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 020A2FC8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 020A3000
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020A3007
                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 020A3032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: dnsapi.dll
                                                                      • API String ID: 1242400761-3175542204
                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction ID: 8b190a9ef58e854df51934a2e3d157df8da181a8e0b11b2d6e77f3198e8c6ad1
                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction Fuzzy Hash: 8A219271D00329BBCB229B94DC59EEEBBB8EF08B10F408471F901E7140D7B59A819BD4
                                                                      Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3609698214-2980165447
                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                      Function 020A6F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rftxcrag,020A7043), ref: 020A6F4E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 020A6F55
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 020A6F7B
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 020A6F92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\rftxcrag
                                                                      • API String ID: 1082366364-519530613
                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction ID: b7fbcaec9d9943d5adcc10cd0842c48ebca07a00c99b8492a44c5a7989218970
                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction Fuzzy Hash: 3D2143217403407EF76353709CADFFB2E9D8B12764F8C80A5F800E6491DBDA80D692AD
                                                                      Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2439722600-2980165447
                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                      Function 020A92CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 020A92E2
                                                                      • wsprintfA.USER32 ref: 020A9350
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 020A9375
                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 020A9389
                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 020A9394
                                                                      • CloseHandle.KERNEL32(00000000), ref: 020A939B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2439722600-2980165447
                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction ID: e428086bef2473dd5eb0babbad6029123c8c28ef116fd534fc765cf5e6cca1d9
                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction Fuzzy Hash: 791196B27402147BE7216772EC0DFEF3A7EDBC8B10F40C075BB09E5091EAB54A419A64
                                                                      Function 020A99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 020A9A18
                                                                      • GetThreadContext.KERNEL32(?,?), ref: 020A9A52
                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 020A9A60
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 020A9A98
                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 020A9AB5
                                                                      • ResumeThread.KERNEL32(?), ref: 020A9AC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction ID: b7d0c6e693ee884e802bbef01839e6c412e5f7b4673f4c3985bb06bc906819cf
                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction Fuzzy Hash: DA216BB1A01219BBDF119BE1DC09EEF7BBCEF14750F804061BA09E1050E7718A40DBA4
                                                                      Function 020A1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(004102D8), ref: 020A1C18
                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 020A1C26
                                                                      • GetProcessHeap.KERNEL32 ref: 020A1C84
                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 020A1C9D
                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 020A1CC1
                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 020A1D02
                                                                      • FreeLibrary.KERNEL32(?), ref: 020A1D0B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                      • String ID:
                                                                      • API String ID: 2324436984-0
                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction ID: 57b16dbde93976a37d884de8d13fac99443055deb654ac47ea0e5f82f3ffbc5b
                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction Fuzzy Hash: 0A315C32E00319BFCB529FE4DC989EEFAB9EB45305F64447AE509A2110D7B54E80EB94
                                                                      Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1586453840-2980165447
                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                      Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1371578007-2980165447
                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                      Function 020A6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 020A6CE4
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 020A6D22
                                                                      • GetLastError.KERNEL32 ref: 020A6DA7
                                                                      • CloseHandle.KERNEL32(?), ref: 020A6DB5
                                                                      • GetLastError.KERNEL32 ref: 020A6DD6
                                                                      • DeleteFileA.KERNEL32(?), ref: 020A6DE7
                                                                      • GetLastError.KERNEL32 ref: 020A6DFD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                      • String ID:
                                                                      • API String ID: 3873183294-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: dc98c336f569d8e243e30c122d1a33d0401ea14ad32e6fff0772d3b5c3118cb4
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: B531DD76D00249BFCF019FE4DD58ADE7FBDEB48340F588065E211A3250D7728A95AB61
                                                                      Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3857584221-2980165447
                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                      Function 020A93AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020A93C6
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 020A93CD
                                                                      • CharToOemA.USER32(?,?), ref: 020A93DB
                                                                      • wsprintfA.USER32 ref: 020A9410
                                                                        • Part of subcall function 020A92CB: GetTempPathA.KERNEL32(00000400,?), ref: 020A92E2
                                                                        • Part of subcall function 020A92CB: wsprintfA.USER32 ref: 020A9350
                                                                        • Part of subcall function 020A92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 020A9375
                                                                        • Part of subcall function 020A92CB: lstrlen.KERNEL32(?,?,00000000), ref: 020A9389
                                                                        • Part of subcall function 020A92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 020A9394
                                                                        • Part of subcall function 020A92CB: CloseHandle.KERNEL32(00000000), ref: 020A939B
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 020A9448
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3857584221-2980165447
                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction ID: 4bad0184bc5662c241febddde2b89e8ce6c0143a4e350715061bacf2deb21036
                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction Fuzzy Hash: 7F015EF69002187BDB21A7A19D8DEDF3B7CDB95701F4040A2BB49E2080EAB497C58F75
                                                                      Function 020AAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: $localcfg
                                                                      • API String ID: 1659193697-2018645984
                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction ID: 17879b1082c6a96fff6801515949e322a06f7d547194207997f2bdf13646423d
                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction Fuzzy Hash: 9C714F71B003046AEF728BD4DCA5FEE37B99B00309FA44026F946A60D1DF6655C4EB65
                                                                      Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                      Function 020AE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 020ADF6C: GetCurrentThreadId.KERNEL32 ref: 020ADFBA
                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 020AE8FA
                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,020A6128), ref: 020AE950
                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 020AE989
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 2920362961-1846390581
                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction ID: f545a54cfd25686f3e7dbeabb9c66701f5fc1ba2581d4eb50cefb986c4c294aa
                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction Fuzzy Hash: B231AD31A00705DBDFB2CFA4C8A4BAA7BE4FF05724F80893AE59587551D370E884EB91
                                                                      Function 020A6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction ID: 64c684afc3d1ba0d1381d759c4507e510c8cfa718d00bd45f358d0d86cc76cc5
                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction Fuzzy Hash: 8E215872204219FFDF11EBB0EC58EDF7EBDEB48264B548421F502D1090EB72DA00AA74
                                                                      Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                      • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                      Function 020AC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 020AC6B4
                                                                      • InterlockedIncrement.KERNEL32(020AC74B), ref: 020AC715
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,020AC747), ref: 020AC728
                                                                      • CloseHandle.KERNEL32(00000000,?,020AC747,00413588,020A8A77), ref: 020AC733
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 1026198776-1857712256
                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction ID: e9e086568a1c7ee87f1347cde489bdf311e39b175b4a729c56fd2f93dbe96782
                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction Fuzzy Hash: 46515FB1A00B418FD765CFA9C5E462ABBE9FB48304B91593FE18BC7A90D774E840DB50
                                                                      Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 124786226-2980165447
                                                                      • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                      • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                      Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2667537340-2980165447
                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                      Function 020AE2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,020AE50A,00000000,00000000,00000000,00020106,00000000,020AE50A,00000000,000000E4), ref: 020AE319
                                                                      • RegSetValueExA.ADVAPI32(020AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020AE38E
                                                                      • RegDeleteValueA.ADVAPI32(020AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020AE3BF
                                                                      • RegCloseKey.ADVAPI32(020AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,020AE50A), ref: 020AE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2667537340-2980165447
                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction ID: e3c57fa482e4ec4bd7f65844f39fe8369047f54edc07199bf2a12eae9230f1e9
                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction Fuzzy Hash: 5B214B72A00219BBDB219FE5EC99EDE7FA9EF08750F408071E904A6150E3718A54EBA0
                                                                      Function 020A71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020A71E1
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 020A7228
                                                                      • LocalFree.KERNEL32(?,?,?), ref: 020A7286
                                                                      • wsprintfA.USER32 ref: 020A729D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                      • String ID: |
                                                                      • API String ID: 2539190677-2343686810
                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction ID: 9c3f6858c04c58a06b34b382372901a9ce95546a2e064b08169d13577b49c1db
                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction Fuzzy Hash: C2312572A00209BBDB41DFA8DC59ADE7BECEF04354F14C066F859DB210EB75D6488BA4
                                                                      Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                      Function 020AB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 020AB51A
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 020AB529
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 020AB548
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 020AB590
                                                                      • wsprintfA.USER32 ref: 020AB61E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                      • String ID:
                                                                      • API String ID: 4026320513-0
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: f150773dda0793bd3276381b1c2399d951d491184b46ea13f21b3fb5c3ce78fb
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: 03513FB1D0021CAACF58CFD5D8885EEBBB9BF48304F50812AF501A6150E7B84AC9DF98
                                                                      Function 020A62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 020A6303
                                                                      • LoadLibraryA.KERNEL32(?), ref: 020A632A
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 020A63B1
                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 020A6405
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 3498078134-0
                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction ID: 5353c7f275d431060810d2b79ce2a4649f92745bf3322283152fe95f3705a9a7
                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction Fuzzy Hash: 67418B72A00205EBDF55CF98C8A4BADB7F8EF04318F588168E815D7290D772E981EB50
                                                                      Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                      Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                      • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: A$ A
                                                                      • API String ID: 3343386518-686259309
                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                      Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1128258776-0
                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                      Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                      Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                      Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E558
                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E583
                                                                      • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3683885500-2980165447
                                                                      • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                      • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                      Function 020AE795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 020ADF6C: GetCurrentThreadId.KERNEL32 ref: 020ADFBA
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,020AA6AC), ref: 020AE7BF
                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,020AA6AC), ref: 020AE7EA
                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,020AA6AC), ref: 020AE819
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1396056608-2980165447
                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                      • Instruction ID: 5c94dceff5da678b30361be31a5d23c0c67be7490aa11b8a7fcbb493e860c19c
                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                      • Instruction Fuzzy Hash: 592137B1A003007AE22177B19C1AFEF3E4DCB647A0F900034BA0DA55D3EA959550AAB5
                                                                      Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 2574300362-1087626847
                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                      Function 020A7665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020A76D9
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 020A796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A797E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseEnumOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1332880857-2980165447
                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                      • Instruction ID: 622e2785470884664be2856fd484a263f2d59fec3fef4b46958dcadd997bb09f
                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                      • Instruction Fuzzy Hash: 3C11EE30A00209AFDB128FA9DC45FEFBFB9EB91304F548161F511E62A0E3B18940DB60
                                                                      Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2777991786-2393279970
                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                      Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDeleteOpenValue
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 849931509-2980165447
                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                      Function 020A9966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 020A999D
                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 020A99BD
                                                                      • RegCloseKey.ADVAPI32(?), ref: 020A99C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDeleteOpenValue
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 849931509-2980165447
                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                      • Instruction ID: 82e1207613c46158cdce7218f3ca1b31f8ab05d5a8418a373dd3e8e939657e47
                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                      • Instruction Fuzzy Hash: EDF0F6B2680208BFF7116B94EC06FDF3A2DDB94B10F500070FA05B5081F6E59B9096B9
                                                                      Function 020A28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg$u6A
                                                                      • API String ID: 1594361348-1940331995
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 19667259fa9f0e786518a0ca434030b55d659b872ccf59f49f1edbe35d7d98c6
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 74E0C2306052118FCB818B2CF948AC537E4EF0A230F4081A0F840C31A0C734DCC0A740
                                                                      Function 020A69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 020A69E5
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 020A6A26
                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 020A6A3A
                                                                      • CloseHandle.KERNEL32(000000FF), ref: 020A6BD8
                                                                        • Part of subcall function 020AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,020A1DCF,?), ref: 020AEEA8
                                                                        • Part of subcall function 020AEE95: HeapFree.KERNEL32(00000000), ref: 020AEEAF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 3384756699-0
                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction ID: 575399a73ab5fc5d05f51c4a58dac653fb874c5bccb2716c7abe43134e0df05f
                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction Fuzzy Hash: 8271477190121DEFDF11CFA4CC90AEEBBB9FB08314F54456AE515A6190D7319E82EB60
                                                                      Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                      Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                      Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                      Function 020A417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020A41AB
                                                                      • GetLastError.KERNEL32 ref: 020A41B5
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 020A41C6
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020A41D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 1ae207f307fec598dd03c1554a30e988796eaab8239c9d4ff73203f6883c9294
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: 71014C7A51120AAFDF01DF90ED85BEF3BACEB18255F404461F901E2050D7B0DA509BB5
                                                                      Function 020A41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020A421F
                                                                      • GetLastError.KERNEL32 ref: 020A4229
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 020A423A
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020A424D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 67b39bc73f535ddf0a5a03c3e3fe20934eccca0e787cb531f4dc2cb7223d4742
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: 5E01C872511209AFDF12DF90EE84BEF7BACEB08355F918461F901E2050D7B0DA549BB6
                                                                      Function 020AE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 020AE066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 1534048567-1846390581
                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction ID: 89ffa1f02adc3ae2b85dc7b6edd73b869d333d030506f4f9f1c3c9baf46f7c45
                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction Fuzzy Hash: FDF062312007029BCB62CFA5D894E82B7E9FB05325B84863AE554C3060D374B4D8DB51
                                                                      Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                      Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                      Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                      Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                      Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4151426672-2980165447
                                                                      • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                      • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                      Function 020AE3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,020A44E2,00000000,00000000,00000000), ref: 020AE470
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 020AE484
                                                                        • Part of subcall function 020AE2FC: RegCreateKeyExA.ADVAPI32(80000001,020AE50A,00000000,00000000,00000000,00020106,00000000,020AE50A,00000000,000000E4), ref: 020AE319
                                                                        • Part of subcall function 020AE2FC: RegSetValueExA.ADVAPI32(020AE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020AE38E
                                                                        • Part of subcall function 020AE2FC: RegDeleteValueA.ADVAPI32(020AE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020AE3BF
                                                                        • Part of subcall function 020AE2FC: RegCloseKey.ADVAPI32(020AE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,020AE50A), ref: 020AE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4151426672-2980165447
                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction ID: 06e9d3476690aeb19766ca9db9114c9429a435a04569856af667b4615351b15c
                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction Fuzzy Hash: 1241C4B2900304BBEB216EE1DC55FEF3BADEB04764F948035FE0994091E7B58650EAB4
                                                                      Function 020A8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 020A83C6
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 020A8477
                                                                        • Part of subcall function 020A69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 020A69E5
                                                                        • Part of subcall function 020A69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 020A6A26
                                                                        • Part of subcall function 020A69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 020A6A3A
                                                                        • Part of subcall function 020AEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,020A1DCF,?), ref: 020AEEA8
                                                                        • Part of subcall function 020AEE95: HeapFree.KERNEL32(00000000), ref: 020AEEAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 359188348-2980165447
                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction ID: 3911c997b842ba15eb15fbc80bbba88e5164ac54887bfa11f838c2f0e5e0174c
                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction Fuzzy Hash: A9415FB2900209BFEB51EBE49D90EFF77ADEB04344F9484B6E504E6010F7B15A94AB64
                                                                      Function 020AE631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,020AE859,00000000,00020119,020AE859,PromptOnSecureDesktop), ref: 020AE64D
                                                                      • RegCloseKey.ADVAPI32(020AE859,?,?,?,?,000000C8,000000E4), ref: 020AE787
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 47109696-2980165447
                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                      • Instruction ID: 2e93a725f1bbdc09509549859a504e8bba07442044840688a1bcd07635b32d41
                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                      • Instruction Fuzzy Hash: 3F4108B2D0021DBFDF12AFE4DC94EEEBBB9FB04344F544476EA00A6150E3719A559B60
                                                                      Function 020AAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 020AAFFF
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 020AB00D
                                                                        • Part of subcall function 020AAF6F: gethostname.WS2_32(?,00000080), ref: 020AAF83
                                                                        • Part of subcall function 020AAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 020AAFE6
                                                                        • Part of subcall function 020A331C: gethostname.WS2_32(?,00000080), ref: 020A333F
                                                                        • Part of subcall function 020A331C: gethostbyname.WS2_32(?), ref: 020A3349
                                                                        • Part of subcall function 020AAA0A: inet_ntoa.WS2_32(00000000), ref: 020AAA10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %OUTLOOK_BND_
                                                                      • API String ID: 1981676241-3684217054
                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction ID: 0e4b9b3fbe2750f3659914924be73ec9d97ff8c07a77a35dc6ca85a876a6f45c
                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction Fuzzy Hash: 53415DB290030CABDB25EFE0DC55EEE3BADFB08304F54442AF92492151EA75E6549F54
                                                                      Function 020A9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 020A9536
                                                                      • Sleep.KERNEL32(000001F4), ref: 020A955D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-3916222277
                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction ID: 7c86074caf45bbe106f74a7015050feeed646a0df9599236f2154641d9bd7ae7
                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction Fuzzy Hash: 33411771A0438C6FFBB78BF8D8AEBE63BE59B02314F9801A5D08297192D7744980E711
                                                                      Function 020ABC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 020AB9D9
                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 020ABA3A
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 020ABA94
                                                                      • GetTickCount.KERNEL32 ref: 020ABB79
                                                                      • GetTickCount.KERNEL32 ref: 020ABB99
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 020ABE15
                                                                      • closesocket.WS2_32(00000000), ref: 020ABEB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 1869671989-2903620461
                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction ID: e4e302f7db2368f2dcb86306ddee97624efbdac943136a3803de7ca0e09b88de
                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction Fuzzy Hash: 76318A715003489FDF65DFE4DCA4AEEB7F9EB58304FA0405AFA2592160EB719684EF10
                                                                      Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                      Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                      Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                      Function 020A709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 020A70BC
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 020A70F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID: |
                                                                      • API String ID: 2370142434-2343686810
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: 955874a42cdbd820ad0754c62b19581ac822089818753a42b7ac6276792b81d3
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: D5112A72900218EBDB51CBD8DC84ADEB7FCAB04305F5481B6E501E60A4D7749B88DBA4
                                                                      Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2777991786-1857712256
                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                      Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                      Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                      Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                      Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                      Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2134783525.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2134783525.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                      Function 020A3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 020A2F88: GetModuleHandleA.KERNEL32(?), ref: 020A2FA1
                                                                        • Part of subcall function 020A2F88: LoadLibraryA.KERNEL32(?), ref: 020A2FB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 020A31DA
                                                                      • HeapFree.KERNEL32(00000000), ref: 020A31E1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2135105954.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_20a0000_rpzOeQ5QzX.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction ID: 8f336e0ed32f8ab40524d383b65d4c90508c09aecdd725c91de61c18213e4e3a
                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction Fuzzy Hash: D0519B3190034AAFCF029FA4D898AFAB7B5FF05305F5445A9EC96C7210E772DA19DB90

                                                                      Execution Graph

                                                                      Execution Coverage:3.3%
                                                                      Dynamic/Decrypted Code Coverage:2%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:1635
                                                                      Total number of Limit Nodes:14
                                                                      execution_graph 14537 409961 RegisterServiceCtrlHandlerA 14538 40997d 14537->14538 14545 4099cb 14537->14545 14547 409892 14538->14547 14540 40999a 14541 4099ba 14540->14541 14542 409892 SetServiceStatus 14540->14542 14544 409892 SetServiceStatus 14541->14544 14541->14545 14543 4099aa 14542->14543 14543->14541 14550 4098f2 14543->14550 14544->14545 14548 4098c2 SetServiceStatus 14547->14548 14548->14540 14551 4098f6 14550->14551 14553 409904 Sleep 14551->14553 14555 409917 14551->14555 14558 404280 CreateEventA 14551->14558 14553->14551 14554 409915 14553->14554 14554->14555 14557 409947 14555->14557 14585 40977c 14555->14585 14557->14541 14559 4042a5 14558->14559 14560 40429d 14558->14560 14599 403ecd 14559->14599 14560->14551 14562 4042b0 14603 404000 14562->14603 14565 4043c1 CloseHandle 14565->14560 14566 4042ce 14609 403f18 WriteFile 14566->14609 14571 4043ba CloseHandle 14571->14565 14572 404318 14573 403f18 4 API calls 14572->14573 14574 404331 14573->14574 14575 403f18 4 API calls 14574->14575 14576 40434a 14575->14576 14617 40ebcc GetProcessHeap HeapAlloc 14576->14617 14579 403f18 4 API calls 14580 404389 14579->14580 14620 40ec2e 14580->14620 14583 403f8c 4 API calls 14584 40439f CloseHandle CloseHandle 14583->14584 14584->14560 14649 40ee2a 14585->14649 14588 4097c2 14590 4097d4 Wow64GetThreadContext 14588->14590 14589 4097bb 14589->14557 14591 409801 14590->14591 14592 4097f5 14590->14592 14651 40637c 14591->14651 14593 4097f6 TerminateProcess 14592->14593 14593->14589 14595 409816 14595->14593 14596 40981e WriteProcessMemory 14595->14596 14596->14592 14597 40983b Wow64SetThreadContext 14596->14597 14597->14592 14598 409858 ResumeThread 14597->14598 14598->14589 14600 403ee2 14599->14600 14601 403edc 14599->14601 14600->14562 14625 406dc2 14601->14625 14604 40400b CreateFileA 14603->14604 14605 40402c GetLastError 14604->14605 14606 404052 14604->14606 14605->14606 14607 404037 14605->14607 14606->14560 14606->14565 14606->14566 14607->14606 14608 404041 Sleep 14607->14608 14608->14604 14608->14606 14610 403f4e GetLastError 14609->14610 14611 403f7c 14609->14611 14610->14611 14612 403f5b WaitForSingleObject GetOverlappedResult 14610->14612 14613 403f8c ReadFile 14611->14613 14612->14611 14614 403fc2 GetLastError 14613->14614 14616 403ff0 14613->14616 14615 403fcf WaitForSingleObject GetOverlappedResult 14614->14615 14614->14616 14615->14616 14616->14571 14616->14572 14643 40eb74 14617->14643 14621 40ec37 14620->14621 14622 40438f 14620->14622 14646 40eba0 14621->14646 14622->14583 14626 406e24 14625->14626 14627 406dd7 14625->14627 14626->14600 14631 406cc9 14627->14631 14629 406ddc 14629->14626 14629->14629 14630 406e02 GetVolumeInformationA 14629->14630 14630->14626 14632 406cdc GetModuleHandleA GetProcAddress 14631->14632 14633 406dbe 14631->14633 14634 406d12 GetSystemDirectoryA 14632->14634 14637 406cfd 14632->14637 14633->14629 14635 406d27 GetWindowsDirectoryA 14634->14635 14636 406d1e 14634->14636 14638 406d42 14635->14638 14636->14635 14639 406d8b 14636->14639 14637->14634 14637->14639 14641 40ef1e lstrlenA 14638->14641 14639->14633 14642 40ef32 14641->14642 14642->14639 14644 40eb7b GetProcessHeap HeapSize 14643->14644 14645 404350 14643->14645 14644->14645 14645->14579 14647 40eba7 GetProcessHeap HeapSize 14646->14647 14648 40ebbf GetProcessHeap HeapFree 14646->14648 14647->14648 14648->14622 14650 409794 CreateProcessA 14649->14650 14650->14588 14650->14589 14652 406386 14651->14652 14653 40638a GetModuleHandleA VirtualAlloc 14651->14653 14652->14595 14654 4063b6 14653->14654 14655 4063f5 14653->14655 14656 4063be VirtualAllocEx 14654->14656 14655->14595 14656->14655 14657 4063d6 14656->14657 14658 4063df WriteProcessMemory 14657->14658 14658->14655 15096 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15213 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15096->15213 15098 409a95 15099 409aa3 GetModuleHandleA GetModuleFileNameA 15098->15099 15104 40a3c7 15098->15104 15111 409ac4 15099->15111 15100 40a41c CreateThread WSAStartup 15324 40e52e 15100->15324 16101 40405e CreateEventA 15100->16101 15101 409afd GetCommandLineA 15112 409b22 15101->15112 15102 40a406 DeleteFileA 15102->15104 15105 40a40d 15102->15105 15104->15100 15104->15102 15104->15105 15107 40a3ed GetLastError 15104->15107 15105->15100 15106 40a445 15343 40eaaf 15106->15343 15107->15105 15109 40a3f8 Sleep 15107->15109 15109->15102 15110 40a44d 15347 401d96 15110->15347 15111->15101 15117 409c0c 15112->15117 15123 409b47 15112->15123 15114 40a457 15395 4080c9 15114->15395 15214 4096aa 15117->15214 15127 409b96 lstrlenA 15123->15127 15129 409b58 15123->15129 15124 40a1d2 15130 40a1e3 GetCommandLineA 15124->15130 15125 409c39 15128 40a167 GetModuleHandleA GetModuleFileNameA 15125->15128 15134 409c4b 15125->15134 15127->15129 15132 409c05 ExitProcess 15128->15132 15133 40a189 15128->15133 15129->15132 15137 409bd2 15129->15137 15158 40a205 15130->15158 15133->15132 15143 40a1b2 GetDriveTypeA 15133->15143 15134->15128 15136 404280 30 API calls 15134->15136 15139 409c5b 15136->15139 15226 40675c 15137->15226 15139->15128 15144 40675c 21 API calls 15139->15144 15143->15132 15145 40a1c5 15143->15145 15146 409c79 15144->15146 15316 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15145->15316 15146->15128 15153 409ca0 GetTempPathA 15146->15153 15154 409e3e 15146->15154 15148 409bff 15148->15132 15150 40a491 15151 40a49f GetTickCount 15150->15151 15155 40a4be Sleep 15150->15155 15157 40a4b7 GetTickCount 15150->15157 15441 40c913 15150->15441 15151->15150 15151->15155 15153->15154 15156 409cba 15153->15156 15164 409e6b GetEnvironmentVariableA 15154->15164 15165 409e04 15154->15165 15155->15150 15264 4099d2 lstrcpyA 15156->15264 15157->15155 15161 40a285 lstrlenA 15158->15161 15174 40a239 15158->15174 15160 40ec2e codecvt 4 API calls 15163 40a15d 15160->15163 15161->15174 15163->15128 15163->15132 15164->15165 15166 409e7d 15164->15166 15165->15160 15167 4099d2 16 API calls 15166->15167 15168 409e9d 15167->15168 15168->15165 15173 409eb0 lstrcpyA lstrlenA 15168->15173 15169 406dc2 6 API calls 15171 409d5f 15169->15171 15176 406cc9 5 API calls 15171->15176 15172 40a3c2 15177 4098f2 41 API calls 15172->15177 15175 409ef4 15173->15175 15222 406ec3 15174->15222 15178 406dc2 6 API calls 15175->15178 15181 409f03 15175->15181 15180 409d72 lstrcpyA lstrcatA lstrcatA 15176->15180 15177->15104 15178->15181 15179 40a39d StartServiceCtrlDispatcherA 15179->15172 15183 409cf6 15180->15183 15182 409f32 RegOpenKeyExA 15181->15182 15185 409f48 RegSetValueExA RegCloseKey 15182->15185 15188 409f70 15182->15188 15271 409326 15183->15271 15184 40a35f 15184->15172 15184->15179 15185->15188 15193 409f9d GetModuleHandleA GetModuleFileNameA 15188->15193 15189 409e0c DeleteFileA 15189->15154 15190 409dde GetFileAttributesExA 15190->15189 15191 409df7 15190->15191 15191->15165 15308 4096ff 15191->15308 15195 409fc2 15193->15195 15196 40a093 15193->15196 15195->15196 15202 409ff1 GetDriveTypeA 15195->15202 15197 40a103 CreateProcessA 15196->15197 15198 40a0a4 wsprintfA 15196->15198 15199 40a13a 15197->15199 15200 40a12a DeleteFileA 15197->15200 15314 402544 15198->15314 15199->15165 15205 4096ff 3 API calls 15199->15205 15200->15199 15202->15196 15204 40a00d 15202->15204 15208 40a02d lstrcatA 15204->15208 15205->15165 15206 40ee2a 15207 40a0ec lstrcatA 15206->15207 15207->15197 15209 40a046 15208->15209 15210 40a052 lstrcatA 15209->15210 15211 40a064 lstrcatA 15209->15211 15210->15211 15211->15196 15212 40a081 lstrcatA 15211->15212 15212->15196 15213->15098 15215 4096b9 15214->15215 15544 4073ff 15215->15544 15217 4096e2 15218 4096e9 15217->15218 15219 4096fa 15217->15219 15564 40704c 15218->15564 15219->15124 15219->15125 15221 4096f7 15221->15219 15223 406ecc 15222->15223 15225 406ed5 15222->15225 15589 406e36 GetUserNameW 15223->15589 15225->15184 15227 406784 CreateFileA 15226->15227 15228 40677a SetFileAttributesA 15226->15228 15229 4067a4 CreateFileA 15227->15229 15230 4067b5 15227->15230 15228->15227 15229->15230 15231 4067c5 15230->15231 15232 4067ba SetFileAttributesA 15230->15232 15233 406977 15231->15233 15234 4067cf GetFileSize 15231->15234 15232->15231 15233->15132 15251 406a60 CreateFileA 15233->15251 15235 4067e5 15234->15235 15249 406922 15234->15249 15236 4067ed ReadFile 15235->15236 15235->15249 15238 406811 SetFilePointer 15236->15238 15236->15249 15237 40696e CloseHandle 15237->15233 15239 40682a ReadFile 15238->15239 15238->15249 15240 406848 SetFilePointer 15239->15240 15239->15249 15245 406867 15240->15245 15240->15249 15241 406878 ReadFile 15242 4068d0 15241->15242 15241->15245 15242->15237 15243 40ebcc 4 API calls 15242->15243 15244 4068f8 15243->15244 15246 406900 SetFilePointer 15244->15246 15244->15249 15245->15241 15245->15242 15247 40695a 15246->15247 15248 40690d ReadFile 15246->15248 15250 40ec2e codecvt 4 API calls 15247->15250 15248->15247 15248->15249 15249->15237 15250->15249 15252 406b8c GetLastError 15251->15252 15253 406a8f GetDiskFreeSpaceA 15251->15253 15262 406b86 15252->15262 15254 406ac5 15253->15254 15263 406ad7 15253->15263 15592 40eb0e 15254->15592 15258 406b56 CloseHandle 15261 406b65 GetLastError CloseHandle 15258->15261 15258->15262 15259 406b36 GetLastError CloseHandle 15260 406b7f DeleteFileA 15259->15260 15260->15262 15261->15260 15262->15148 15596 406987 15263->15596 15265 4099eb 15264->15265 15266 409a2f lstrcatA 15265->15266 15267 40ee2a 15266->15267 15268 409a4b lstrcatA 15267->15268 15269 406a60 13 API calls 15268->15269 15270 409a60 15269->15270 15270->15154 15270->15169 15270->15183 15602 401910 15271->15602 15274 40934a GetModuleHandleA GetModuleFileNameA 15276 40937f 15274->15276 15277 4093a4 15276->15277 15278 4093d9 15276->15278 15279 4093c3 wsprintfA 15277->15279 15280 409401 wsprintfA 15278->15280 15281 409415 15279->15281 15280->15281 15284 406cc9 5 API calls 15281->15284 15305 4094a0 15281->15305 15283 4094ac 15285 40962f 15283->15285 15286 4094e8 RegOpenKeyExA 15283->15286 15289 409439 15284->15289 15291 409646 15285->15291 15625 401820 15285->15625 15288 409502 15286->15288 15294 4094fb 15286->15294 15292 40951f RegQueryValueExA 15288->15292 15293 40ef1e lstrlenA 15289->15293 15300 4095d6 15291->15300 15631 4091eb 15291->15631 15297 409530 15292->15297 15298 409539 15292->15298 15299 409462 15293->15299 15294->15285 15295 40958a 15294->15295 15295->15291 15296 409593 15295->15296 15296->15300 15612 40f0e4 15296->15612 15301 40956e RegCloseKey 15297->15301 15302 409556 RegQueryValueExA 15298->15302 15303 40947e wsprintfA 15299->15303 15300->15189 15300->15190 15301->15294 15302->15297 15302->15301 15303->15305 15604 406edd 15305->15604 15306 4095bb 15306->15300 15619 4018e0 15306->15619 15309 402544 15308->15309 15310 40972d RegOpenKeyExA 15309->15310 15311 409740 15310->15311 15312 409765 15310->15312 15313 40974f RegDeleteValueA RegCloseKey 15311->15313 15312->15165 15313->15312 15315 402554 lstrcatA 15314->15315 15315->15206 15317 402544 15316->15317 15318 40919e wsprintfA 15317->15318 15319 4091bb 15318->15319 15670 409064 GetTempPathA 15319->15670 15322 4091d5 ShellExecuteA 15323 4091e7 15322->15323 15323->15148 15325 40dd05 6 API calls 15324->15325 15326 40e538 15325->15326 15677 40dbcf 15326->15677 15328 40e544 15329 40e555 GetFileSize 15328->15329 15333 40e5b8 15328->15333 15330 40e5b1 CloseHandle 15329->15330 15331 40e566 15329->15331 15330->15333 15687 40db2e 15331->15687 15696 40e3ca RegOpenKeyExA 15333->15696 15335 40e576 ReadFile 15335->15330 15337 40e58d 15335->15337 15691 40e332 15337->15691 15340 40e5f2 15341 40e3ca 19 API calls 15340->15341 15342 40e629 15340->15342 15341->15342 15342->15106 15344 40eabe 15343->15344 15346 40eaba 15343->15346 15345 40dd05 6 API calls 15344->15345 15344->15346 15345->15346 15346->15110 15348 40ee2a 15347->15348 15349 401db4 GetVersionExA 15348->15349 15350 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15349->15350 15352 401e24 15350->15352 15353 401e16 GetCurrentProcess 15350->15353 15354 40e819 11 API calls 15352->15354 15353->15352 15355 401e3d 15354->15355 15356 40e819 11 API calls 15355->15356 15357 401e4e 15356->15357 15358 401e77 15357->15358 15729 40df70 15357->15729 15738 40ea84 15358->15738 15362 401e6c 15363 40df70 12 API calls 15362->15363 15363->15358 15364 40e819 11 API calls 15365 401e93 15364->15365 15742 40199c inet_addr LoadLibraryA 15365->15742 15368 40e819 11 API calls 15369 401eb9 15368->15369 15370 401ed8 15369->15370 15372 40f04e 4 API calls 15369->15372 15371 40e819 11 API calls 15370->15371 15374 401eee 15371->15374 15373 401ec9 15372->15373 15375 40ea84 30 API calls 15373->15375 15376 401f0a 15374->15376 15755 401b71 15374->15755 15375->15370 15378 40e819 11 API calls 15376->15378 15380 401f23 15378->15380 15379 401efd 15381 40ea84 30 API calls 15379->15381 15382 401f3f 15380->15382 15759 401bdf 15380->15759 15381->15376 15383 40e819 11 API calls 15382->15383 15386 401f5e 15383->15386 15388 401f77 15386->15388 15389 40ea84 30 API calls 15386->15389 15387 40ea84 30 API calls 15387->15382 15390 4030b5 2 API calls 15388->15390 15389->15388 15391 401f82 15390->15391 15393 406ec3 2 API calls 15391->15393 15394 401f8e GetTickCount 15391->15394 15393->15394 15394->15114 15396 406ec3 2 API calls 15395->15396 15397 4080eb 15396->15397 15398 4080f9 15397->15398 15399 4080ef 15397->15399 15401 40704c 16 API calls 15398->15401 15801 407ee6 15399->15801 15403 408110 15401->15403 15402 408269 CreateThread 15420 405e6c 15402->15420 16079 40877e 15402->16079 15405 408156 RegOpenKeyExA 15403->15405 15406 4080f4 15403->15406 15404 40675c 21 API calls 15411 408244 15404->15411 15405->15406 15407 40816d RegQueryValueExA 15405->15407 15406->15402 15406->15404 15408 4081f7 15407->15408 15409 40818d 15407->15409 15410 40820d RegCloseKey 15408->15410 15413 40ec2e codecvt 4 API calls 15408->15413 15409->15408 15414 40ebcc 4 API calls 15409->15414 15410->15406 15411->15402 15412 40ec2e codecvt 4 API calls 15411->15412 15412->15402 15419 4081dd 15413->15419 15415 4081a0 15414->15415 15415->15410 15416 4081aa RegQueryValueExA 15415->15416 15416->15408 15417 4081c4 15416->15417 15418 40ebcc 4 API calls 15417->15418 15418->15419 15419->15410 15869 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15420->15869 15422 405e71 15870 40e654 15422->15870 15424 405ec1 15425 403132 15424->15425 15426 40df70 12 API calls 15425->15426 15427 40313b 15426->15427 15428 40c125 15427->15428 15881 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15428->15881 15430 40c12d 15431 40e654 13 API calls 15430->15431 15432 40c2bd 15431->15432 15433 40e654 13 API calls 15432->15433 15434 40c2c9 15433->15434 15435 40e654 13 API calls 15434->15435 15436 40a47a 15435->15436 15437 408db1 15436->15437 15438 408dbc 15437->15438 15439 40e654 13 API calls 15438->15439 15440 408dec Sleep 15439->15440 15440->15150 15442 40c92f 15441->15442 15443 40c93c 15442->15443 15882 40c517 15442->15882 15445 40ca2b 15443->15445 15446 40e819 11 API calls 15443->15446 15445->15150 15447 40c96a 15446->15447 15448 40e819 11 API calls 15447->15448 15449 40c97d 15448->15449 15450 40e819 11 API calls 15449->15450 15451 40c990 15450->15451 15452 40c9aa 15451->15452 15453 40ebcc 4 API calls 15451->15453 15452->15445 15454 402684 2 API calls 15452->15454 15453->15452 15455 40ca16 15454->15455 15899 40f428 15455->15899 15458 40ca26 15902 40c8aa 15458->15902 15461 40ca44 15462 40ca4b closesocket 15461->15462 15463 40ca83 15461->15463 15462->15458 15464 40ea84 30 API calls 15463->15464 15465 40caac 15464->15465 15466 40f04e 4 API calls 15465->15466 15467 40cab2 15466->15467 15468 40ea84 30 API calls 15467->15468 15469 40caca 15468->15469 15470 40ea84 30 API calls 15469->15470 15471 40cad9 15470->15471 15910 40c65c 15471->15910 15474 40cb60 closesocket 15474->15445 15476 40dad2 closesocket 15477 40e318 23 API calls 15476->15477 15477->15445 15478 40df4c 20 API calls 15525 40cb70 15478->15525 15483 40e654 13 API calls 15483->15525 15485 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15485->15525 15490 40ea84 30 API calls 15490->15525 15491 40d569 closesocket Sleep 15957 40e318 15491->15957 15492 40d815 wsprintfA 15492->15525 15493 40cc1c GetTempPathA 15493->15525 15494 407ead 6 API calls 15494->15525 15495 40c517 23 API calls 15495->15525 15497 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15497->15525 15498 40e8a1 30 API calls 15498->15525 15499 40d582 ExitProcess 15500 40cfe3 GetSystemDirectoryA 15500->15525 15501 40cfad GetEnvironmentVariableA 15501->15525 15502 40675c 21 API calls 15502->15525 15503 40d027 GetSystemDirectoryA 15503->15525 15504 40d105 lstrcatA 15504->15525 15505 40ef1e lstrlenA 15505->15525 15506 40cc9f CreateFileA 15508 40ccc6 WriteFile 15506->15508 15506->15525 15507 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15507->15525 15510 40cdcc CloseHandle 15508->15510 15511 40cced CloseHandle 15508->15511 15509 40d15b CreateFileA 15512 40d182 WriteFile CloseHandle 15509->15512 15509->15525 15510->15525 15518 40cd2f 15511->15518 15512->15525 15513 40cd16 wsprintfA 15513->15518 15514 40d149 SetFileAttributesA 15514->15509 15515 40d36e GetEnvironmentVariableA 15515->15525 15516 40d1bf SetFileAttributesA 15516->15525 15517 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15517->15525 15518->15513 15939 407fcf 15518->15939 15519 40d22d GetEnvironmentVariableA 15519->15525 15520 40d3af lstrcatA 15522 40d3f2 CreateFileA 15520->15522 15520->15525 15522->15525 15526 40d415 WriteFile CloseHandle 15522->15526 15524 407fcf 64 API calls 15524->15525 15525->15476 15525->15478 15525->15483 15525->15485 15525->15490 15525->15491 15525->15492 15525->15493 15525->15494 15525->15495 15525->15497 15525->15498 15525->15500 15525->15501 15525->15502 15525->15503 15525->15504 15525->15505 15525->15506 15525->15507 15525->15509 15525->15514 15525->15515 15525->15516 15525->15517 15525->15519 15525->15520 15525->15522 15525->15524 15531 40d4b1 CreateProcessA 15525->15531 15532 40d3e0 SetFileAttributesA 15525->15532 15533 40d26e lstrcatA 15525->15533 15536 40d2b1 CreateFileA 15525->15536 15537 407ee6 64 API calls 15525->15537 15538 40d452 SetFileAttributesA 15525->15538 15541 40d29f SetFileAttributesA 15525->15541 15543 40d31d SetFileAttributesA 15525->15543 15918 40c75d 15525->15918 15930 407e2f 15525->15930 15952 407ead 15525->15952 15962 4031d0 15525->15962 15979 403c09 15525->15979 15989 403a00 15525->15989 15993 40e7b4 15525->15993 15996 40c06c 15525->15996 16002 406f5f GetUserNameA 15525->16002 16013 40e854 15525->16013 16023 407dd6 15525->16023 15526->15525 15527 40cd81 WaitForSingleObject CloseHandle CloseHandle 15529 40f04e 4 API calls 15527->15529 15528 40cda5 15530 407ee6 64 API calls 15528->15530 15529->15528 15534 40cdbd DeleteFileA 15530->15534 15531->15525 15535 40d4e8 CloseHandle CloseHandle 15531->15535 15532->15522 15533->15525 15533->15536 15534->15525 15535->15525 15536->15525 15539 40d2d8 WriteFile CloseHandle 15536->15539 15537->15525 15538->15525 15539->15525 15541->15536 15543->15525 15545 40741b 15544->15545 15546 406dc2 6 API calls 15545->15546 15547 40743f 15546->15547 15548 407469 RegOpenKeyExA 15547->15548 15549 4077f9 15548->15549 15559 407487 ___ascii_stricmp 15548->15559 15549->15217 15550 407703 RegEnumKeyA 15551 407714 RegCloseKey 15550->15551 15550->15559 15551->15549 15552 4074d2 RegOpenKeyExA 15552->15559 15553 40772c 15555 407742 RegCloseKey 15553->15555 15556 40774b 15553->15556 15554 407521 RegQueryValueExA 15554->15559 15555->15556 15557 4077ec RegCloseKey 15556->15557 15557->15549 15558 4076e4 RegCloseKey 15558->15559 15559->15550 15559->15552 15559->15553 15559->15554 15559->15558 15560 407769 15559->15560 15562 40f1a5 lstrlenA 15559->15562 15563 40777e GetFileAttributesExA 15559->15563 15561 4077e3 RegCloseKey 15560->15561 15561->15557 15562->15559 15563->15560 15565 407073 15564->15565 15566 4070b9 RegOpenKeyExA 15565->15566 15567 4070d0 15566->15567 15581 4071b8 15566->15581 15568 406dc2 6 API calls 15567->15568 15571 4070d5 15568->15571 15569 40719b RegEnumValueA 15570 4071af RegCloseKey 15569->15570 15569->15571 15570->15581 15571->15569 15573 4071d0 15571->15573 15587 40f1a5 lstrlenA 15571->15587 15574 407205 RegCloseKey 15573->15574 15575 407227 15573->15575 15574->15581 15576 4072b8 ___ascii_stricmp 15575->15576 15577 40728e RegCloseKey 15575->15577 15578 4072cd RegCloseKey 15576->15578 15579 4072dd 15576->15579 15577->15581 15578->15581 15580 407311 RegCloseKey 15579->15580 15583 407335 15579->15583 15580->15581 15581->15221 15582 4073d5 RegCloseKey 15584 4073e4 15582->15584 15583->15582 15585 40737e GetFileAttributesExA 15583->15585 15586 407397 15583->15586 15585->15586 15586->15582 15588 40f1c3 15587->15588 15588->15571 15590 406e5f LookupAccountNameW 15589->15590 15591 406e97 15589->15591 15590->15591 15591->15225 15593 40eb17 15592->15593 15594 40eb21 15592->15594 15595 40eae4 2 API calls 15593->15595 15594->15263 15595->15594 15598 4069b9 WriteFile 15596->15598 15599 406a3c 15598->15599 15600 4069ff 15598->15600 15599->15258 15599->15259 15600->15599 15601 406a10 WriteFile 15600->15601 15601->15599 15601->15600 15603 401924 GetVersionExA 15602->15603 15603->15274 15605 406eef AllocateAndInitializeSid 15604->15605 15611 406f55 15604->15611 15606 406f1c CheckTokenMembership 15605->15606 15609 406f44 15605->15609 15607 406f3b FreeSid 15606->15607 15608 406f2e 15606->15608 15607->15609 15608->15607 15610 406e36 2 API calls 15609->15610 15609->15611 15610->15611 15611->15283 15613 40f0f1 15612->15613 15614 40f0ed 15612->15614 15615 40f119 15613->15615 15616 40f0fa lstrlenA SysAllocStringByteLen 15613->15616 15614->15306 15618 40f11c MultiByteToWideChar 15615->15618 15617 40f117 15616->15617 15616->15618 15617->15306 15618->15617 15620 401820 17 API calls 15619->15620 15621 4018f2 15620->15621 15622 4018f9 15621->15622 15636 401280 15621->15636 15622->15300 15624 401908 15624->15300 15649 401000 15625->15649 15627 401839 15628 401851 GetCurrentProcess 15627->15628 15629 40183d 15627->15629 15630 401864 15628->15630 15629->15291 15630->15291 15632 40920e 15631->15632 15635 409308 15631->15635 15633 4092f1 Sleep 15632->15633 15634 4092bf ShellExecuteA 15632->15634 15632->15635 15633->15632 15634->15632 15634->15635 15635->15300 15639 4012e1 ShellExecuteExW 15636->15639 15638 4016f9 GetLastError 15640 401699 15638->15640 15639->15638 15642 4013a8 15639->15642 15640->15624 15641 401570 lstrlenW 15641->15642 15642->15640 15642->15641 15643 4015be GetStartupInfoW 15642->15643 15644 4015ff CreateProcessWithLogonW 15642->15644 15648 401668 CloseHandle 15642->15648 15643->15642 15645 4016bf GetLastError 15644->15645 15646 40163f WaitForSingleObject 15644->15646 15645->15640 15646->15642 15647 401659 CloseHandle 15646->15647 15647->15642 15648->15642 15650 40100d LoadLibraryA 15649->15650 15655 401023 15649->15655 15651 401021 15650->15651 15650->15655 15651->15627 15652 4010b5 GetProcAddress 15653 4010d1 GetProcAddress 15652->15653 15654 40127b 15652->15654 15653->15654 15656 4010f0 GetProcAddress 15653->15656 15654->15627 15655->15652 15669 4010ae 15655->15669 15656->15654 15657 401110 GetProcAddress 15656->15657 15657->15654 15658 401130 GetProcAddress 15657->15658 15658->15654 15659 40114f GetProcAddress 15658->15659 15659->15654 15660 40116f GetProcAddress 15659->15660 15660->15654 15661 40118f GetProcAddress 15660->15661 15661->15654 15662 4011ae GetProcAddress 15661->15662 15662->15654 15663 4011ce GetProcAddress 15662->15663 15663->15654 15664 4011ee GetProcAddress 15663->15664 15664->15654 15665 401209 GetProcAddress 15664->15665 15665->15654 15666 401225 GetProcAddress 15665->15666 15666->15654 15667 401241 GetProcAddress 15666->15667 15667->15654 15668 40125c GetProcAddress 15667->15668 15668->15654 15669->15627 15671 40908d 15670->15671 15672 4090e2 wsprintfA 15671->15672 15673 40ee2a 15672->15673 15674 4090fd CreateFileA 15673->15674 15675 40911a lstrlenA WriteFile CloseHandle 15674->15675 15676 40913f 15674->15676 15675->15676 15676->15322 15676->15323 15678 40dbf0 15677->15678 15710 40db67 GetEnvironmentVariableA 15678->15710 15680 40dc19 15681 40dcda 15680->15681 15682 40db67 3 API calls 15680->15682 15681->15328 15683 40dc5c 15682->15683 15683->15681 15684 40db67 3 API calls 15683->15684 15685 40dc9b 15684->15685 15685->15681 15686 40db67 3 API calls 15685->15686 15686->15681 15688 40db55 15687->15688 15689 40db3a 15687->15689 15688->15330 15688->15335 15690 40ebed 8 API calls 15689->15690 15690->15688 15692 40f04e 4 API calls 15691->15692 15694 40e342 15692->15694 15693 40e3be 15693->15330 15694->15693 15714 40de24 15694->15714 15697 40e528 15696->15697 15698 40e3f4 15696->15698 15697->15340 15699 40e434 RegQueryValueExA 15698->15699 15700 40e458 15699->15700 15701 40e51d RegCloseKey 15699->15701 15702 40e46e RegQueryValueExA 15700->15702 15701->15697 15702->15700 15703 40e488 15702->15703 15703->15701 15704 40db2e 8 API calls 15703->15704 15705 40e499 15704->15705 15705->15701 15706 40e4b9 RegQueryValueExA 15705->15706 15707 40e4e8 15705->15707 15706->15705 15706->15707 15707->15701 15708 40e332 14 API calls 15707->15708 15709 40e513 15708->15709 15709->15701 15711 40db89 lstrcpyA CreateFileA 15710->15711 15712 40dbca 15710->15712 15711->15680 15712->15680 15715 40de3a 15714->15715 15716 40dd84 lstrcmpiA 15715->15716 15720 40de4e 15715->15720 15717 40de62 15716->15717 15718 40de9e 15717->15718 15721 40de76 15717->15721 15719 40ebed 8 API calls 15718->15719 15718->15720 15723 40def6 15719->15723 15720->15694 15725 40ddcf 15721->15725 15723->15720 15724 40ddcf lstrcmpA 15723->15724 15724->15720 15726 40dddd 15725->15726 15728 40de20 15725->15728 15727 40ddfa lstrcmpA 15726->15727 15726->15728 15727->15726 15728->15720 15730 40dd05 6 API calls 15729->15730 15731 40df7c 15730->15731 15732 40dd84 lstrcmpiA 15731->15732 15737 40df89 15732->15737 15733 40dfc4 15733->15362 15734 40ddcf lstrcmpA 15734->15737 15735 40ec2e codecvt 4 API calls 15735->15737 15736 40dd84 lstrcmpiA 15736->15737 15737->15733 15737->15734 15737->15735 15737->15736 15739 40ea98 15738->15739 15766 40e8a1 15739->15766 15741 401e84 15741->15364 15743 4019d5 GetProcAddress GetProcAddress GetProcAddress 15742->15743 15744 4019ce 15742->15744 15745 401ab3 FreeLibrary 15743->15745 15746 401a04 15743->15746 15744->15368 15745->15744 15746->15745 15747 401a14 GetProcessHeap 15746->15747 15747->15744 15749 401a2e HeapAlloc 15747->15749 15749->15744 15750 401a42 15749->15750 15751 401a52 HeapReAlloc 15750->15751 15753 401a62 15750->15753 15751->15753 15752 401aa1 FreeLibrary 15752->15744 15753->15752 15754 401a96 HeapFree 15753->15754 15754->15752 15794 401ac3 LoadLibraryA 15755->15794 15758 401bcf 15758->15379 15760 401ac3 12 API calls 15759->15760 15761 401c09 15760->15761 15762 401c41 15761->15762 15763 401c0d GetComputerNameA 15761->15763 15762->15387 15764 401c45 GetVolumeInformationA 15763->15764 15765 401c1f 15763->15765 15764->15762 15765->15762 15765->15764 15767 40dd05 6 API calls 15766->15767 15768 40e8b4 15767->15768 15769 40dd84 lstrcmpiA 15768->15769 15770 40e8c0 15769->15770 15771 40e8c8 lstrcpynA 15770->15771 15781 40e90a 15770->15781 15772 40e8f5 15771->15772 15787 40df4c 15772->15787 15773 402419 4 API calls 15774 40e926 lstrlenA lstrlenA 15773->15774 15776 40e94c lstrlenA 15774->15776 15778 40e96a 15774->15778 15776->15778 15777 40e901 15779 40dd84 lstrcmpiA 15777->15779 15780 40ebcc 4 API calls 15778->15780 15782 40ea27 15778->15782 15779->15781 15783 40e98f 15780->15783 15781->15773 15781->15782 15782->15741 15783->15782 15784 40df4c 20 API calls 15783->15784 15785 40ea1e 15784->15785 15786 40ec2e codecvt 4 API calls 15785->15786 15786->15782 15788 40dd05 6 API calls 15787->15788 15789 40df51 15788->15789 15790 40f04e 4 API calls 15789->15790 15791 40df58 15790->15791 15792 40de24 10 API calls 15791->15792 15793 40df63 15792->15793 15793->15777 15795 401ae2 GetProcAddress 15794->15795 15800 401b68 GetComputerNameA GetVolumeInformationA 15794->15800 15796 401af5 15795->15796 15795->15800 15797 40ebed 8 API calls 15796->15797 15799 401b29 15796->15799 15797->15796 15798 40ec2e codecvt 4 API calls 15798->15800 15799->15798 15799->15799 15799->15800 15800->15758 15802 406ec3 2 API calls 15801->15802 15803 407ef4 15802->15803 15804 4073ff 17 API calls 15803->15804 15813 407fc9 15803->15813 15805 407f16 15804->15805 15805->15813 15814 407809 GetUserNameA 15805->15814 15807 407f63 15808 40ef1e lstrlenA 15807->15808 15807->15813 15809 407fa6 15808->15809 15810 40ef1e lstrlenA 15809->15810 15811 407fb7 15810->15811 15838 407a95 RegOpenKeyExA 15811->15838 15813->15406 15815 40783d LookupAccountNameA 15814->15815 15816 407a8d 15814->15816 15815->15816 15817 407874 GetLengthSid GetFileSecurityA 15815->15817 15816->15807 15817->15816 15818 4078a8 GetSecurityDescriptorOwner 15817->15818 15819 4078c5 EqualSid 15818->15819 15820 40791d GetSecurityDescriptorDacl 15818->15820 15819->15820 15821 4078dc LocalAlloc 15819->15821 15820->15816 15828 407941 15820->15828 15821->15820 15822 4078ef InitializeSecurityDescriptor 15821->15822 15823 407916 LocalFree 15822->15823 15824 4078fb SetSecurityDescriptorOwner 15822->15824 15823->15820 15824->15823 15826 40790b SetFileSecurityA 15824->15826 15825 40795b GetAce 15825->15828 15826->15823 15827 407980 EqualSid 15827->15828 15828->15816 15828->15825 15828->15827 15829 4079be EqualSid 15828->15829 15830 407a3d 15828->15830 15831 40799d DeleteAce 15828->15831 15829->15828 15830->15816 15832 407a43 LocalAlloc 15830->15832 15831->15828 15832->15816 15833 407a56 InitializeSecurityDescriptor 15832->15833 15834 407a62 SetSecurityDescriptorDacl 15833->15834 15835 407a86 LocalFree 15833->15835 15834->15835 15836 407a73 SetFileSecurityA 15834->15836 15835->15816 15836->15835 15837 407a83 15836->15837 15837->15835 15839 407ac4 15838->15839 15840 407acb GetUserNameA 15838->15840 15839->15813 15841 407da7 RegCloseKey 15840->15841 15842 407aed LookupAccountNameA 15840->15842 15841->15839 15842->15841 15843 407b24 RegGetKeySecurity 15842->15843 15843->15841 15844 407b49 GetSecurityDescriptorOwner 15843->15844 15845 407b63 EqualSid 15844->15845 15846 407bb8 GetSecurityDescriptorDacl 15844->15846 15845->15846 15848 407b74 LocalAlloc 15845->15848 15847 407da6 15846->15847 15855 407bdc 15846->15855 15847->15841 15848->15846 15849 407b8a InitializeSecurityDescriptor 15848->15849 15851 407bb1 LocalFree 15849->15851 15852 407b96 SetSecurityDescriptorOwner 15849->15852 15850 407bf8 GetAce 15850->15855 15851->15846 15852->15851 15853 407ba6 RegSetKeySecurity 15852->15853 15853->15851 15854 407c1d EqualSid 15854->15855 15855->15847 15855->15850 15855->15854 15856 407c5f EqualSid 15855->15856 15857 407c3a DeleteAce 15855->15857 15859 407cd9 15855->15859 15856->15855 15857->15855 15858 407d5a LocalAlloc 15858->15847 15860 407d70 InitializeSecurityDescriptor 15858->15860 15859->15847 15859->15858 15861 407cf2 RegOpenKeyExA 15859->15861 15862 407d7c SetSecurityDescriptorDacl 15860->15862 15863 407d9f LocalFree 15860->15863 15861->15858 15866 407d0f 15861->15866 15862->15863 15864 407d8c RegSetKeySecurity 15862->15864 15863->15847 15864->15863 15865 407d9c 15864->15865 15865->15863 15867 407d43 RegSetValueExA 15866->15867 15867->15858 15868 407d54 15867->15868 15868->15858 15869->15422 15871 40dd05 6 API calls 15870->15871 15874 40e65f 15871->15874 15872 40e6a5 15873 40ebcc 4 API calls 15872->15873 15879 40e6f5 15872->15879 15876 40e6b0 15873->15876 15874->15872 15875 40e68c lstrcmpA 15874->15875 15875->15874 15877 40e6b7 15876->15877 15878 40e6e0 lstrcpynA 15876->15878 15876->15879 15877->15424 15878->15879 15879->15877 15880 40e71d lstrcmpA 15879->15880 15880->15879 15881->15430 15883 40c525 15882->15883 15884 40c532 15882->15884 15883->15884 15886 40ec2e codecvt 4 API calls 15883->15886 15885 40c548 15884->15885 16030 40e7ff 15884->16030 15888 40e7ff lstrcmpiA 15885->15888 15896 40c54f 15885->15896 15886->15884 15889 40c615 15888->15889 15890 40ebcc 4 API calls 15889->15890 15889->15896 15890->15896 15891 40c5d1 15893 40ebcc 4 API calls 15891->15893 15893->15896 15894 40e819 11 API calls 15895 40c5b7 15894->15895 15897 40f04e 4 API calls 15895->15897 15896->15443 15898 40c5bf 15897->15898 15898->15885 15898->15891 15900 40f315 14 API calls 15899->15900 15901 40ca1d 15900->15901 15901->15458 15906 40f43e 15901->15906 15904 40c8d2 15902->15904 15903 40c907 15903->15445 15904->15903 15905 40c517 23 API calls 15904->15905 15905->15903 15907 40f473 recv 15906->15907 15908 40f47c 15907->15908 15909 40f458 15907->15909 15908->15461 15909->15907 15909->15908 15911 40c670 15910->15911 15912 40c67d 15910->15912 15913 40ebcc 4 API calls 15911->15913 15914 40ebcc 4 API calls 15912->15914 15916 40c699 15912->15916 15913->15912 15914->15916 15915 40c6f3 15915->15474 15915->15525 15916->15915 15917 40c73c send 15916->15917 15917->15915 15919 40c770 15918->15919 15920 40c77d 15918->15920 15921 40ebcc 4 API calls 15919->15921 15922 40c799 15920->15922 15924 40ebcc 4 API calls 15920->15924 15921->15920 15923 40c7b5 15922->15923 15925 40ebcc 4 API calls 15922->15925 15926 40f43e recv 15923->15926 15924->15922 15925->15923 15927 40c7cb 15926->15927 15928 40f43e recv 15927->15928 15929 40c7d3 15927->15929 15928->15929 15929->15525 16033 407db7 15930->16033 15933 407e70 15935 407e96 15933->15935 15937 40f04e 4 API calls 15933->15937 15934 40f04e 4 API calls 15936 407e4c 15934->15936 15935->15525 15936->15933 15938 40f04e 4 API calls 15936->15938 15937->15935 15938->15933 15940 406ec3 2 API calls 15939->15940 15941 407fdd 15940->15941 15942 4073ff 17 API calls 15941->15942 15951 4080c2 CreateProcessA 15941->15951 15943 407fff 15942->15943 15944 407809 21 API calls 15943->15944 15943->15951 15945 40804d 15944->15945 15946 40ef1e lstrlenA 15945->15946 15945->15951 15947 40809e 15946->15947 15948 40ef1e lstrlenA 15947->15948 15949 4080af 15948->15949 15950 407a95 24 API calls 15949->15950 15950->15951 15951->15527 15951->15528 15953 407db7 2 API calls 15952->15953 15954 407eb8 15953->15954 15955 40f04e 4 API calls 15954->15955 15956 407ece DeleteFileA 15955->15956 15956->15525 15958 40dd05 6 API calls 15957->15958 15959 40e31d 15958->15959 16037 40e177 15959->16037 15961 40e326 15961->15499 15963 4031f3 15962->15963 15973 4031ec 15962->15973 15964 40ebcc 4 API calls 15963->15964 15970 4031fc 15964->15970 15965 403459 15968 40f04e 4 API calls 15965->15968 15966 40349d 15967 40ec2e codecvt 4 API calls 15966->15967 15967->15973 15969 40345f 15968->15969 15972 4030fa 4 API calls 15969->15972 15970->15970 15971 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15970->15971 15970->15973 15974 40344d 15970->15974 15976 40344b 15970->15976 15977 4030fa 4 API calls 15970->15977 15978 403141 lstrcmpiA 15970->15978 15971->15970 15972->15973 15973->15525 15975 40ec2e codecvt 4 API calls 15974->15975 15975->15976 15976->15965 15976->15966 15977->15970 15978->15970 15980 4030fa 4 API calls 15979->15980 15981 403c1a 15980->15981 15985 403ce6 15981->15985 16063 403a72 15981->16063 15984 403a72 9 API calls 15988 403c5e 15984->15988 15985->15525 15986 403a72 9 API calls 15986->15988 15987 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15987->15988 15988->15985 15988->15986 15988->15987 15990 403a10 15989->15990 15991 4030fa 4 API calls 15990->15991 15992 403a1a 15991->15992 15992->15525 15994 40dd05 6 API calls 15993->15994 15995 40e7be 15994->15995 15995->15525 15997 40c105 15996->15997 15998 40c07e wsprintfA 15996->15998 15997->15525 16072 40bfce GetTickCount wsprintfA 15998->16072 16000 40c0ef 16073 40bfce GetTickCount wsprintfA 16000->16073 16003 407047 16002->16003 16004 406f88 LookupAccountNameA 16002->16004 16003->15525 16006 407025 16004->16006 16007 406fcb 16004->16007 16008 406edd 5 API calls 16006->16008 16010 406fdb ConvertSidToStringSidA 16007->16010 16009 40702a wsprintfA 16008->16009 16009->16003 16010->16006 16011 406ff1 16010->16011 16012 407013 LocalFree 16011->16012 16012->16006 16014 40dd05 6 API calls 16013->16014 16015 40e85c 16014->16015 16016 40dd84 lstrcmpiA 16015->16016 16018 40e867 16016->16018 16017 40e885 lstrcpyA 16077 40dd69 16017->16077 16018->16017 16074 4024a5 16018->16074 16024 407db7 2 API calls 16023->16024 16025 407de1 16024->16025 16026 40f04e 4 API calls 16025->16026 16029 407e16 16025->16029 16027 407df2 16026->16027 16028 40f04e 4 API calls 16027->16028 16027->16029 16028->16029 16029->15525 16031 40dd84 lstrcmpiA 16030->16031 16032 40c58e 16031->16032 16032->15885 16032->15891 16032->15894 16034 407dc8 InterlockedExchange 16033->16034 16035 407dc0 Sleep 16034->16035 16036 407dd4 16034->16036 16035->16034 16036->15933 16036->15934 16038 40e184 16037->16038 16039 40e2e4 16038->16039 16040 40e223 16038->16040 16053 40dfe2 16038->16053 16039->15961 16040->16039 16042 40dfe2 8 API calls 16040->16042 16047 40e23c 16042->16047 16043 40e1be 16043->16040 16044 40dbcf 3 API calls 16043->16044 16046 40e1d6 16044->16046 16045 40e21a CloseHandle 16045->16040 16046->16040 16046->16045 16048 40e1f9 WriteFile 16046->16048 16047->16039 16057 40e095 RegCreateKeyExA 16047->16057 16048->16045 16050 40e213 16048->16050 16050->16045 16051 40e2a3 16051->16039 16052 40e095 4 API calls 16051->16052 16052->16039 16054 40dffc 16053->16054 16056 40e024 16053->16056 16055 40db2e 8 API calls 16054->16055 16054->16056 16055->16056 16056->16043 16058 40e172 16057->16058 16060 40e0c0 16057->16060 16058->16051 16059 40e13d 16061 40e14e RegDeleteValueA RegCloseKey 16059->16061 16060->16059 16062 40e115 RegSetValueExA 16060->16062 16061->16058 16062->16059 16062->16060 16064 40f04e 4 API calls 16063->16064 16065 403a83 16064->16065 16067 403bc0 16065->16067 16068 403ac1 16065->16068 16071 403b66 lstrlenA 16065->16071 16066 403be6 16070 40ec2e codecvt 4 API calls 16066->16070 16067->16066 16069 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16067->16069 16068->15984 16068->15985 16069->16067 16070->16068 16071->16065 16071->16068 16072->16000 16073->15997 16075 402419 4 API calls 16074->16075 16076 4024b6 16075->16076 16076->16017 16078 40dd79 lstrlenA 16077->16078 16078->15525 16080 408791 16079->16080 16081 40879f 16079->16081 16082 40f04e 4 API calls 16080->16082 16083 4087bc 16081->16083 16084 40f04e 4 API calls 16081->16084 16082->16081 16085 40e819 11 API calls 16083->16085 16084->16083 16086 4087d7 16085->16086 16099 408803 16086->16099 16130 4026b2 gethostbyaddr 16086->16130 16089 4087eb 16091 40e8a1 30 API calls 16089->16091 16089->16099 16091->16099 16094 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16094->16099 16095 40e819 11 API calls 16095->16099 16096 4088a0 Sleep 16096->16099 16098 4026b2 2 API calls 16098->16099 16099->16094 16099->16095 16099->16096 16099->16098 16100 40e8a1 30 API calls 16099->16100 16135 408cee 16099->16135 16143 40c4d6 16099->16143 16146 40c4e2 16099->16146 16149 402011 16099->16149 16184 408328 16099->16184 16100->16099 16102 404084 16101->16102 16103 40407d 16101->16103 16104 403ecd 6 API calls 16102->16104 16105 40408f 16104->16105 16106 404000 3 API calls 16105->16106 16108 404095 16106->16108 16107 404130 16109 403ecd 6 API calls 16107->16109 16108->16107 16113 403f18 4 API calls 16108->16113 16110 404159 CreateNamedPipeA 16109->16110 16111 404167 Sleep 16110->16111 16112 404188 ConnectNamedPipe 16110->16112 16111->16107 16114 404176 CloseHandle 16111->16114 16116 404195 GetLastError 16112->16116 16125 4041ab 16112->16125 16115 4040da 16113->16115 16114->16112 16117 403f8c 4 API calls 16115->16117 16118 40425e DisconnectNamedPipe 16116->16118 16116->16125 16119 4040ec 16117->16119 16118->16112 16120 404127 CloseHandle 16119->16120 16121 404101 16119->16121 16120->16107 16122 403f18 4 API calls 16121->16122 16123 40411c ExitProcess 16122->16123 16124 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16124->16125 16125->16112 16125->16118 16125->16124 16126 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16125->16126 16127 40426a CloseHandle CloseHandle 16125->16127 16126->16125 16128 40e318 23 API calls 16127->16128 16129 40427b 16128->16129 16129->16129 16131 4026fb 16130->16131 16132 4026cd 16130->16132 16131->16089 16133 4026e1 inet_ntoa 16132->16133 16134 4026de 16132->16134 16133->16134 16134->16089 16136 408d02 GetTickCount 16135->16136 16137 408dae 16135->16137 16136->16137 16141 408d19 16136->16141 16137->16099 16138 408da1 GetTickCount 16138->16137 16140 40a688 GetTickCount 16140->16141 16141->16138 16141->16140 16142 408d89 16141->16142 16236 40a677 16141->16236 16142->16138 16239 40c2dc 16143->16239 16147 40c2dc 141 API calls 16146->16147 16148 40c4ec 16147->16148 16148->16099 16150 402020 16149->16150 16151 40202e 16149->16151 16152 40f04e 4 API calls 16150->16152 16153 40204b 16151->16153 16154 40f04e 4 API calls 16151->16154 16152->16151 16155 40206e GetTickCount 16153->16155 16158 40f04e 4 API calls 16153->16158 16154->16153 16156 402090 16155->16156 16157 4020db GetTickCount 16155->16157 16160 4020d4 GetTickCount 16156->16160 16165 402684 2 API calls 16156->16165 16178 4020ce 16156->16178 16314 401978 16156->16314 16161 402132 GetTickCount GetTickCount 16157->16161 16162 4020e7 16157->16162 16159 402068 16158->16159 16159->16155 16160->16157 16164 40f04e 4 API calls 16161->16164 16163 40212b GetTickCount 16162->16163 16173 401978 15 API calls 16162->16173 16174 402125 16162->16174 16319 402ef8 16162->16319 16163->16161 16166 402159 16164->16166 16165->16156 16169 40e854 13 API calls 16166->16169 16180 4021b4 16166->16180 16168 40f04e 4 API calls 16176 4021d1 16168->16176 16170 40218e 16169->16170 16172 40e819 11 API calls 16170->16172 16177 40219c 16172->16177 16173->16162 16174->16163 16175 4021f2 16175->16099 16176->16175 16179 40ea84 30 API calls 16176->16179 16177->16180 16327 401c5f 16177->16327 16178->16160 16181 4021ec 16179->16181 16180->16168 16182 40f04e 4 API calls 16181->16182 16182->16175 16185 407dd6 6 API calls 16184->16185 16186 40833c 16185->16186 16187 406ec3 2 API calls 16186->16187 16214 408340 16186->16214 16188 40834f 16187->16188 16189 40835c 16188->16189 16194 40846b 16188->16194 16190 4073ff 17 API calls 16189->16190 16211 408373 16190->16211 16191 4085df 16192 408626 GetTempPathA 16191->16192 16202 408762 16191->16202 16215 408638 16191->16215 16192->16215 16193 40675c 21 API calls 16193->16191 16195 4084a7 RegOpenKeyExA 16194->16195 16210 408450 16194->16210 16197 4084c0 RegQueryValueExA 16195->16197 16198 40852f 16195->16198 16200 408521 RegCloseKey 16197->16200 16201 4084dd 16197->16201 16203 408564 RegOpenKeyExA 16198->16203 16218 4085a5 16198->16218 16199 4086ad 16199->16202 16204 407e2f 6 API calls 16199->16204 16200->16198 16201->16200 16207 40ebcc 4 API calls 16201->16207 16209 40ec2e codecvt 4 API calls 16202->16209 16202->16214 16205 408573 RegSetValueExA RegCloseKey 16203->16205 16203->16218 16206 4086bb 16204->16206 16205->16218 16208 40875b DeleteFileA 16206->16208 16225 4086e0 lstrcpyA lstrlenA 16206->16225 16213 4084f0 16207->16213 16208->16202 16209->16214 16210->16191 16210->16193 16211->16210 16211->16214 16216 4083ea RegOpenKeyExA 16211->16216 16213->16200 16217 4084f8 RegQueryValueExA 16213->16217 16214->16099 16399 406ba7 IsBadCodePtr 16215->16399 16216->16210 16219 4083fd RegQueryValueExA 16216->16219 16217->16200 16220 408515 16217->16220 16218->16210 16221 40ec2e codecvt 4 API calls 16218->16221 16222 40842d RegSetValueExA 16219->16222 16223 40841e 16219->16223 16224 40ec2e codecvt 4 API calls 16220->16224 16221->16210 16226 408447 RegCloseKey 16222->16226 16223->16222 16223->16226 16227 40851d 16224->16227 16228 407fcf 64 API calls 16225->16228 16226->16210 16227->16200 16229 408719 CreateProcessA 16228->16229 16230 40873d CloseHandle CloseHandle 16229->16230 16231 40874f 16229->16231 16230->16202 16232 407ee6 64 API calls 16231->16232 16233 408754 16232->16233 16234 407ead 6 API calls 16233->16234 16235 40875a 16234->16235 16235->16208 16237 40a63d GetTickCount 16236->16237 16238 40a685 16237->16238 16238->16141 16240 40a4c7 4 API calls 16239->16240 16241 40c2e9 16240->16241 16242 40c300 GetTickCount 16241->16242 16243 40c326 16241->16243 16244 40c45e 16241->16244 16245 40c337 16242->16245 16243->16245 16246 40c32b GetTickCount 16243->16246 16247 40c4d2 16244->16247 16248 40c4ab InterlockedIncrement CreateThread 16244->16248 16245->16244 16250 40c363 GetTickCount 16245->16250 16246->16245 16247->16099 16248->16247 16249 40c4cb CloseHandle 16248->16249 16255 40b535 16248->16255 16249->16247 16250->16244 16251 40c373 16250->16251 16252 40c378 GetTickCount 16251->16252 16253 40c37f 16251->16253 16252->16253 16254 40c43b GetTickCount 16253->16254 16254->16244 16256 40b566 16255->16256 16257 40ebcc 4 API calls 16256->16257 16258 40b587 16257->16258 16259 40ebcc 4 API calls 16258->16259 16269 40b590 16259->16269 16260 40bdcd InterlockedDecrement 16261 40bde2 16260->16261 16263 40ec2e codecvt 4 API calls 16261->16263 16262 403e10 4 API calls 16262->16269 16264 40bdea 16263->16264 16265 40ec2e codecvt 4 API calls 16264->16265 16267 40bdf2 16265->16267 16266 40bdb7 Sleep 16311 40b5c7 16266->16311 16268 40be05 16267->16268 16271 40ec2e codecvt 4 API calls 16267->16271 16269->16260 16269->16262 16273 403e4f 4 API calls 16269->16273 16274 40384f 12 API calls 16269->16274 16269->16311 16270 40bdcc 16270->16260 16271->16268 16272 40ebed 8 API calls 16272->16311 16273->16269 16274->16311 16275 40b6b6 lstrlenA 16275->16311 16276 4030b5 2 API calls 16276->16311 16277 40b6ed lstrcpyA 16279 405ce1 22 API calls 16277->16279 16278 40e819 11 API calls 16278->16311 16279->16311 16280 40a7a3 inet_ntoa 16280->16311 16281 40b731 lstrlenA 16281->16311 16282 40b71f lstrcmpA 16282->16281 16282->16311 16283 40b772 GetTickCount 16283->16311 16284 40bd49 InterlockedIncrement 16286 40a628 4 API calls 16284->16286 16285 40abee 34 API calls 16285->16311 16286->16311 16287 40bc5b InterlockedIncrement 16287->16311 16288 40b7ce InterlockedIncrement 16290 40acd7 14 API calls 16288->16290 16290->16311 16291 40b912 GetTickCount 16291->16311 16292 40b826 InterlockedIncrement 16292->16283 16293 40b932 GetTickCount 16295 40bc6d InterlockedIncrement 16293->16295 16293->16311 16294 40bcdc closesocket 16294->16311 16295->16311 16296 405ce1 22 API calls 16296->16311 16297 4038f0 6 API calls 16297->16311 16298 40ab81 2 API calls 16299 40bd1a GetTickCount 16298->16299 16302 40a51d 6 API calls 16299->16302 16300 403cfb 4 API calls 16300->16311 16301 40bba6 InterlockedIncrement 16301->16311 16302->16311 16303 40bc4c closesocket 16303->16311 16304 405ded 12 API calls 16304->16311 16305 40b3c5 42 API calls 16305->16311 16306 40ba71 wsprintfA 16308 40a7c1 22 API calls 16306->16308 16307 40ab81 lstrcpynA InterlockedIncrement 16307->16311 16308->16311 16309 40a7c1 22 API calls 16309->16311 16310 40ef1e lstrlenA 16310->16311 16311->16266 16311->16269 16311->16270 16311->16272 16311->16275 16311->16276 16311->16277 16311->16278 16311->16280 16311->16281 16311->16282 16311->16283 16311->16284 16311->16285 16311->16287 16311->16288 16311->16291 16311->16292 16311->16293 16311->16294 16311->16296 16311->16297 16311->16298 16311->16300 16311->16301 16311->16303 16311->16304 16311->16305 16311->16306 16311->16307 16311->16309 16311->16310 16312 40a688 GetTickCount 16311->16312 16313 401feb GetTickCount 16311->16313 16312->16311 16313->16311 16315 40f428 14 API calls 16314->16315 16316 40198a 16315->16316 16317 401990 closesocket 16316->16317 16318 401998 16316->16318 16317->16318 16318->16156 16320 402d21 6 API calls 16319->16320 16321 402f01 16320->16321 16322 402f0f 16321->16322 16335 402df2 GetModuleHandleA 16321->16335 16324 402684 2 API calls 16322->16324 16326 402f1f 16322->16326 16325 402f1d 16324->16325 16325->16162 16326->16162 16329 401c80 16327->16329 16328 401d1c 16332 401d47 wsprintfA 16328->16332 16329->16328 16330 401cc2 wsprintfA 16329->16330 16334 401d79 16329->16334 16331 402684 2 API calls 16330->16331 16331->16329 16333 402684 2 API calls 16332->16333 16333->16334 16334->16180 16336 402e10 LoadLibraryA 16335->16336 16337 402e0b 16335->16337 16338 402e17 16336->16338 16337->16336 16337->16338 16339 402ef1 16338->16339 16340 402e28 GetProcAddress 16338->16340 16339->16322 16340->16339 16341 402e3e GetProcessHeap HeapAlloc 16340->16341 16342 402e62 16341->16342 16342->16339 16343 402ede GetProcessHeap HeapFree 16342->16343 16344 402e7f htons inet_addr 16342->16344 16345 402ea5 gethostbyname 16342->16345 16347 402ceb 16342->16347 16343->16339 16344->16342 16344->16345 16345->16342 16348 402cf2 16347->16348 16350 402d1c 16348->16350 16351 402d0e Sleep 16348->16351 16352 402a62 GetProcessHeap HeapAlloc 16348->16352 16350->16342 16351->16348 16351->16350 16353 402a92 16352->16353 16354 402a99 socket 16352->16354 16353->16348 16355 402cd3 GetProcessHeap HeapFree 16354->16355 16356 402ab4 16354->16356 16355->16353 16356->16355 16368 402abd 16356->16368 16357 402adb htons 16372 4026ff 16357->16372 16359 402b04 select 16359->16368 16360 402ca4 16361 402cb3 GetProcessHeap HeapFree closesocket 16360->16361 16361->16353 16362 402b3f recv 16362->16368 16363 402b66 htons 16363->16360 16363->16368 16364 402b87 htons 16364->16360 16364->16368 16367 402bf3 GetProcessHeap HeapAlloc 16367->16368 16368->16357 16368->16359 16368->16360 16368->16361 16368->16362 16368->16363 16368->16364 16368->16367 16369 402c17 htons 16368->16369 16371 402c4d GetProcessHeap HeapFree 16368->16371 16379 402923 16368->16379 16391 402904 16368->16391 16387 402871 16369->16387 16371->16368 16373 402717 16372->16373 16375 40271d 16372->16375 16374 40ebcc 4 API calls 16373->16374 16374->16375 16376 40272b GetTickCount htons 16375->16376 16377 4027cc htons htons sendto 16376->16377 16378 40278a 16376->16378 16377->16368 16378->16377 16380 402944 16379->16380 16381 40293d 16379->16381 16395 402816 htons 16380->16395 16381->16368 16383 402871 htons 16386 402950 16383->16386 16384 4029bd htons htons htons 16384->16381 16385 4029f6 GetProcessHeap HeapAlloc 16384->16385 16385->16381 16385->16386 16386->16381 16386->16383 16386->16384 16388 4028e3 16387->16388 16390 402889 16387->16390 16388->16368 16389 4028c3 htons 16389->16388 16389->16390 16390->16388 16390->16389 16392 402921 16391->16392 16393 402908 16391->16393 16392->16368 16394 402909 GetProcessHeap HeapFree 16393->16394 16394->16392 16394->16394 16396 40286b 16395->16396 16397 402836 16395->16397 16396->16386 16397->16396 16398 40285c htons 16397->16398 16398->16396 16398->16397 16400 406bbc 16399->16400 16401 406bc0 16399->16401 16400->16199 16402 40ebcc 4 API calls 16401->16402 16412 406bd4 16401->16412 16403 406be4 16402->16403 16404 406c07 CreateFileA 16403->16404 16405 406bfc 16403->16405 16403->16412 16407 406c34 WriteFile 16404->16407 16408 406c2a 16404->16408 16406 40ec2e codecvt 4 API calls 16405->16406 16406->16412 16410 406c49 CloseHandle DeleteFileA 16407->16410 16411 406c5a CloseHandle 16407->16411 16409 40ec2e codecvt 4 API calls 16408->16409 16409->16412 16410->16408 16413 40ec2e codecvt 4 API calls 16411->16413 16412->16199 16413->16412 15053 5f0005 15058 5f092b GetPEB 15053->15058 15055 5f0030 15060 5f003c 15055->15060 15059 5f0972 15058->15059 15059->15055 15061 5f0049 15060->15061 15075 5f0e0f SetErrorMode SetErrorMode 15061->15075 15066 5f0265 15067 5f02ce VirtualProtect 15066->15067 15069 5f030b 15067->15069 15068 5f0439 VirtualFree 15073 5f05f4 LoadLibraryA 15068->15073 15074 5f04be 15068->15074 15069->15068 15070 5f04e3 LoadLibraryA 15070->15074 15072 5f08c7 15073->15072 15074->15070 15074->15073 15076 5f0223 15075->15076 15077 5f0d90 15076->15077 15078 5f0dad 15077->15078 15079 5f0dbb GetPEB 15078->15079 15080 5f0238 VirtualAlloc 15078->15080 15079->15080 15080->15066 14659 40b535 14660 40b566 14659->14660 14661 40ebcc 4 API calls 14660->14661 14662 40b587 14661->14662 14663 40ebcc 4 API calls 14662->14663 14673 40b590 14663->14673 14664 40bdcd InterlockedDecrement 14665 40bde2 14664->14665 14667 40ec2e codecvt 4 API calls 14665->14667 14668 40bdea 14667->14668 14669 40ec2e codecvt 4 API calls 14668->14669 14671 40bdf2 14669->14671 14670 40bdb7 Sleep 14715 40b5c7 14670->14715 14672 40be05 14671->14672 14675 40ec2e codecvt 4 API calls 14671->14675 14673->14664 14673->14715 14717 403e10 14673->14717 14720 403e4f 14673->14720 14723 40384f 14673->14723 14674 40bdcc 14674->14664 14675->14672 14679 40b6b6 lstrlenA 14679->14715 14681 40b6ed lstrcpyA 14744 405ce1 14681->14744 14685 40b731 lstrlenA 14685->14715 14686 40b71f lstrcmpA 14686->14685 14686->14715 14687 40b772 GetTickCount 14687->14715 14688 40bd49 InterlockedIncrement 14852 40a628 14688->14852 14691 40bc5b InterlockedIncrement 14691->14715 14692 40b7ce InterlockedIncrement 14765 40acd7 14692->14765 14695 40b912 GetTickCount 14695->14715 14696 40b826 InterlockedIncrement 14696->14687 14697 40b932 GetTickCount 14699 40bc6d InterlockedIncrement 14697->14699 14697->14715 14698 40bcdc closesocket 14698->14715 14699->14715 14700 405ce1 22 API calls 14700->14715 14701 4038f0 6 API calls 14701->14715 14705 40bba6 InterlockedIncrement 14705->14715 14707 40bc4c closesocket 14707->14715 14708 405ded 12 API calls 14708->14715 14710 40ba71 wsprintfA 14786 40a7c1 14710->14786 14711 40ab81 lstrcpynA InterlockedIncrement 14711->14715 14713 40a7c1 22 API calls 14713->14715 14714 40ef1e lstrlenA 14714->14715 14715->14670 14715->14673 14715->14674 14715->14679 14715->14681 14715->14685 14715->14686 14715->14687 14715->14688 14715->14691 14715->14692 14715->14695 14715->14696 14715->14697 14715->14698 14715->14700 14715->14701 14715->14705 14715->14707 14715->14708 14715->14710 14715->14711 14715->14713 14715->14714 14735 40ebed 14715->14735 14752 4030b5 14715->14752 14756 40e819 14715->14756 14763 40a7a3 inet_ntoa 14715->14763 14770 40abee 14715->14770 14782 401feb GetTickCount 14715->14782 14783 40a688 14715->14783 14806 403cfb 14715->14806 14809 40b3c5 14715->14809 14840 40ab81 14715->14840 14855 4030fa GetTickCount 14717->14855 14719 403e1d 14719->14673 14721 4030fa 4 API calls 14720->14721 14722 403e5c 14721->14722 14722->14673 14724 4030fa 4 API calls 14723->14724 14725 403863 14724->14725 14726 4038b9 14725->14726 14727 403889 14725->14727 14734 4038b2 14725->14734 14866 4035f9 14726->14866 14860 403718 14727->14860 14732 403718 6 API calls 14732->14734 14733 4035f9 6 API calls 14733->14734 14734->14715 14736 40ec01 14735->14736 14737 40ebf6 14735->14737 14738 40eba0 codecvt 2 API calls 14736->14738 14739 40ebcc 4 API calls 14737->14739 14740 40ec0a GetProcessHeap HeapReAlloc 14738->14740 14741 40ebfe 14739->14741 14742 40eb74 2 API calls 14740->14742 14741->14715 14743 40ec28 14742->14743 14743->14715 14745 405cf4 14744->14745 14746 405cec 14744->14746 14748 404bd1 4 API calls 14745->14748 14884 404bd1 GetTickCount 14746->14884 14749 405d02 14748->14749 14889 405472 14749->14889 14753 40ee2a 14752->14753 14754 4030d0 gethostname gethostbyname 14753->14754 14755 4030ed 14754->14755 14755->14715 14952 40dd05 GetTickCount 14756->14952 14758 40e821 14959 40dd84 14758->14959 14761 40e844 14761->14715 14764 40a7b9 14763->14764 14764->14715 14972 40f315 14765->14972 14768 40acff 14768->14715 14769 40f315 14 API calls 14769->14768 14771 40abfb 14770->14771 14774 40ac65 14771->14774 14985 402f22 14771->14985 14773 40f315 14 API calls 14773->14774 14774->14773 14775 40ac6f 14774->14775 14781 40ac8a 14774->14781 14776 40ab81 2 API calls 14775->14776 14778 40ac81 14776->14778 14777 40ac23 14777->14774 14993 402684 14777->14993 14997 4038f0 14778->14997 14781->14715 14782->14715 15011 40a63d 14783->15011 14785 40a696 14785->14715 14787 40a87d lstrlenA send 14786->14787 14788 40a7df 14786->14788 14789 40a899 14787->14789 14790 40a8bf 14787->14790 14788->14787 14795 40a7fa wsprintfA 14788->14795 14797 40a80a 14788->14797 14798 40a8f2 14788->14798 14791 40a8a5 wsprintfA 14789->14791 14799 40a89e 14789->14799 14792 40a8c4 send 14790->14792 14790->14798 14791->14799 14794 40a8d8 wsprintfA 14792->14794 14792->14798 14793 40a978 recv 14793->14798 14800 40a982 14793->14800 14794->14799 14795->14797 14796 40a9b0 wsprintfA 14796->14799 14797->14787 14798->14793 14798->14796 14798->14800 14799->14715 14800->14799 14801 4030b5 2 API calls 14800->14801 14802 40ab05 14801->14802 14803 40e819 11 API calls 14802->14803 14804 40ab17 14803->14804 14805 40a7a3 inet_ntoa 14804->14805 14805->14799 14807 4030fa 4 API calls 14806->14807 14808 403d0b 14807->14808 14808->14715 14810 405ce1 22 API calls 14809->14810 14811 40b3e6 14810->14811 14812 405ce1 22 API calls 14811->14812 14814 40b404 14812->14814 14813 40b440 14816 40ef7c 3 API calls 14813->14816 14814->14813 14815 40ef7c 3 API calls 14814->14815 14817 40b42b 14815->14817 14818 40b458 wsprintfA 14816->14818 14819 40ef7c 3 API calls 14817->14819 14820 40ef7c 3 API calls 14818->14820 14819->14813 14821 40b480 14820->14821 14822 40ef7c 3 API calls 14821->14822 14823 40b493 14822->14823 14824 40ef7c 3 API calls 14823->14824 14825 40b4bb 14824->14825 15016 40ad89 GetLocalTime SystemTimeToFileTime 14825->15016 14829 40b4cc 14830 40ef7c 3 API calls 14829->14830 14831 40b4dd 14830->14831 14832 40b211 7 API calls 14831->14832 14833 40b4ec 14832->14833 14834 40ef7c 3 API calls 14833->14834 14835 40b4fd 14834->14835 14836 40b211 7 API calls 14835->14836 14837 40b509 14836->14837 14838 40ef7c 3 API calls 14837->14838 14839 40b51a 14838->14839 14839->14715 14841 40abe9 GetTickCount 14840->14841 14843 40ab8c 14840->14843 14845 40a51d 14841->14845 14842 40aba8 lstrcpynA 14842->14843 14843->14841 14843->14842 14844 40abe1 InterlockedIncrement 14843->14844 14844->14843 15048 40a4c7 GetTickCount 14845->15048 14848 40a542 GetTickCount 14850 40a539 GetTickCount 14848->14850 14851 40a56c 14850->14851 14851->14715 14853 40a4c7 4 API calls 14852->14853 14854 40a633 14853->14854 14854->14715 14856 403122 InterlockedExchange 14855->14856 14857 40312e 14856->14857 14858 40310f GetTickCount 14856->14858 14857->14719 14858->14857 14859 40311a Sleep 14858->14859 14859->14856 14872 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 14860->14872 14862 403847 14862->14732 14862->14734 14863 4037b3 GetCurrentThreadId 14864 40372a 14863->14864 14865 4037c8 GetCurrentThreadId 14863->14865 14864->14862 14864->14863 14865->14864 14867 40f04e 4 API calls 14866->14867 14868 40360c 14867->14868 14869 4036da GetCurrentThreadId 14868->14869 14871 4036f1 14868->14871 14870 4036e5 GetCurrentThreadId 14869->14870 14869->14871 14870->14871 14871->14733 14871->14734 14875 40eb41 14872->14875 14874 40f0b7 14874->14864 14876 40eb61 14875->14876 14877 40eb4a 14875->14877 14876->14874 14880 40eae4 14877->14880 14879 40eb54 14879->14874 14879->14876 14881 40eb02 GetProcAddress 14880->14881 14882 40eaed LoadLibraryA 14880->14882 14881->14879 14882->14881 14883 40eb01 14882->14883 14883->14879 14885 404bff InterlockedExchange 14884->14885 14886 404c08 14885->14886 14887 404bec GetTickCount 14885->14887 14886->14745 14887->14886 14888 404bf7 Sleep 14887->14888 14888->14885 14908 404763 14889->14908 14891 405b58 14918 404699 14891->14918 14894 404763 lstrlenA 14895 405b6e 14894->14895 14939 404f9f 14895->14939 14897 405b79 14897->14715 14899 405549 lstrlenA 14907 40548a 14899->14907 14901 40558d lstrcpynA 14901->14907 14902 405a9f lstrcpyA 14902->14907 14903 404ae6 8 API calls 14903->14907 14904 405935 lstrcpynA 14904->14907 14905 405472 13 API calls 14905->14907 14906 4058e7 lstrcpyA 14906->14907 14907->14891 14907->14901 14907->14902 14907->14903 14907->14904 14907->14905 14907->14906 14912 404ae6 14907->14912 14916 40ef7c lstrlenA lstrlenA lstrlenA 14907->14916 14910 40477a 14908->14910 14909 404859 14909->14907 14910->14909 14911 40480d lstrlenA 14910->14911 14911->14910 14913 404af3 14912->14913 14915 404b03 14912->14915 14914 40ebed 8 API calls 14913->14914 14914->14915 14915->14899 14917 40efb4 14916->14917 14917->14907 14944 4045b3 14918->14944 14921 4045b3 7 API calls 14922 4046c6 14921->14922 14923 4045b3 7 API calls 14922->14923 14924 4046d8 14923->14924 14925 4045b3 7 API calls 14924->14925 14926 4046ea 14925->14926 14927 4045b3 7 API calls 14926->14927 14928 4046ff 14927->14928 14929 4045b3 7 API calls 14928->14929 14930 404711 14929->14930 14931 4045b3 7 API calls 14930->14931 14932 404723 14931->14932 14933 40ef7c 3 API calls 14932->14933 14934 404735 14933->14934 14935 40ef7c 3 API calls 14934->14935 14936 40474a 14935->14936 14937 40ef7c 3 API calls 14936->14937 14938 40475c 14937->14938 14938->14894 14940 404fac 14939->14940 14943 404fb0 14939->14943 14940->14897 14941 404ffd 14941->14897 14942 404fd5 IsBadCodePtr 14942->14943 14943->14941 14943->14942 14945 4045c1 14944->14945 14946 4045c8 14944->14946 14947 40ebcc 4 API calls 14945->14947 14948 40ebcc 4 API calls 14946->14948 14950 4045e1 14946->14950 14947->14946 14948->14950 14949 404691 14949->14921 14950->14949 14951 40ef7c 3 API calls 14950->14951 14951->14950 14953 40dd41 InterlockedExchange 14952->14953 14954 40dd20 GetCurrentThreadId 14953->14954 14955 40dd4a 14953->14955 14956 40dd53 GetCurrentThreadId 14954->14956 14957 40dd2e GetTickCount 14954->14957 14955->14956 14956->14758 14957->14955 14958 40dd39 Sleep 14957->14958 14958->14953 14960 40ddc5 14959->14960 14961 40dd96 14959->14961 14960->14761 14963 402480 14960->14963 14961->14960 14962 40ddad lstrcmpiA 14961->14962 14962->14960 14962->14961 14966 402419 lstrlenA 14963->14966 14965 402491 14965->14761 14967 402474 14966->14967 14968 40243d lstrlenA 14966->14968 14967->14965 14969 402464 lstrlenA 14968->14969 14970 40244e lstrcmpiA 14968->14970 14969->14967 14969->14968 14970->14969 14971 40245c 14970->14971 14971->14967 14971->14969 14973 40f33b 14972->14973 14982 40aceb 14972->14982 14974 40f347 htons socket 14973->14974 14975 40f382 ioctlsocket 14974->14975 14976 40f374 closesocket 14974->14976 14977 40f3aa connect select 14975->14977 14978 40f39d 14975->14978 14976->14982 14979 40f3f2 __WSAFDIsSet 14977->14979 14977->14982 14980 40f39f closesocket 14978->14980 14979->14980 14981 40f403 ioctlsocket 14979->14981 14980->14982 14984 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 14981->14984 14982->14768 14982->14769 14984->14982 15004 402d21 GetModuleHandleA 14985->15004 14988 402f85 14989 402fcf GetProcessHeap HeapFree 14988->14989 14992 402f44 14989->14992 14990 402f4f 14991 402f6b GetProcessHeap HeapFree 14990->14991 14991->14992 14992->14777 14994 402692 inet_addr 14993->14994 14995 40268e 14993->14995 14994->14995 14996 40269e gethostbyname 14994->14996 14995->14777 14996->14995 14998 403900 14997->14998 15003 403980 14997->15003 14999 4030fa 4 API calls 14998->14999 15001 40390a 14999->15001 15000 40391b GetCurrentThreadId 15000->15001 15001->15000 15002 403939 GetCurrentThreadId 15001->15002 15001->15003 15002->15001 15003->14781 15005 402d46 LoadLibraryA 15004->15005 15006 402d5b GetProcAddress 15004->15006 15005->15006 15008 402d54 15005->15008 15006->15008 15010 402d6b 15006->15010 15007 402d97 GetProcessHeap HeapAlloc 15007->15008 15007->15010 15008->14988 15008->14990 15008->14992 15009 402db5 lstrcpynA 15009->15010 15010->15007 15010->15008 15010->15009 15012 40a645 15011->15012 15013 40a64d 15011->15013 15012->14785 15014 40a66e 15013->15014 15015 40a65e GetTickCount 15013->15015 15014->14785 15015->15014 15017 40adbf 15016->15017 15041 40ad08 gethostname 15017->15041 15020 4030b5 2 API calls 15021 40add3 15020->15021 15022 40a7a3 inet_ntoa 15021->15022 15024 40ade4 15021->15024 15022->15024 15023 40ae85 wsprintfA 15025 40ef7c 3 API calls 15023->15025 15024->15023 15027 40ae36 wsprintfA wsprintfA 15024->15027 15026 40aebb 15025->15026 15028 40ef7c 3 API calls 15026->15028 15029 40ef7c 3 API calls 15027->15029 15030 40aed2 15028->15030 15029->15024 15031 40b211 15030->15031 15032 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 15031->15032 15033 40b2af GetLocalTime 15031->15033 15034 40b2d2 15032->15034 15033->15034 15035 40b2d9 SystemTimeToFileTime 15034->15035 15036 40b31c GetTimeZoneInformation 15034->15036 15037 40b2ec 15035->15037 15038 40b33a wsprintfA 15036->15038 15039 40b312 FileTimeToSystemTime 15037->15039 15038->14829 15039->15036 15042 40ad71 15041->15042 15043 40ad26 lstrlenA 15041->15043 15045 40ad85 15042->15045 15046 40ad79 lstrcpyA 15042->15046 15043->15042 15047 40ad68 lstrlenA 15043->15047 15045->15020 15046->15045 15047->15042 15049 40a4f7 InterlockedExchange 15048->15049 15050 40a500 15049->15050 15051 40a4e4 GetTickCount 15049->15051 15050->14848 15050->14850 15051->15050 15052 40a4ef Sleep 15051->15052 15052->15049 15081 7d09b7 15082 7d09c6 15081->15082 15085 7d1157 15082->15085 15086 7d1172 15085->15086 15087 7d117b CreateToolhelp32Snapshot 15086->15087 15088 7d1197 Module32First 15086->15088 15087->15086 15087->15088 15089 7d09cf 15088->15089 15090 7d11a6 15088->15090 15092 7d0e16 15090->15092 15093 7d0e41 15092->15093 15094 7d0e8a 15093->15094 15095 7d0e52 VirtualAlloc 15093->15095 15094->15094 15095->15094

                                                                      Executed Functions

                                                                      Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\rpzOeQ5QzX.exe), ref: 0040A407
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\rpzOeQ5QzX.exe$C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$D$P$\$hvjnshqw
                                                                      • API String ID: 2089075347-1371845155
                                                                      • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                      • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                      Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 491 40640b-40640f 489->491 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->491
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                      Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 287 407804-407808 283->287 285 4074a2-4074b1 call 406cad 284->285 286 407714-40771d RegCloseKey 284->286 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 355 407683-40768e call 406cad 353->355 354->355 361 407722-407725 355->361 362 407694-4076bf call 40f1a5 call 406c96 355->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 00407472
                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 004074F0
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 00407528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 004076E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 00407717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 00407745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 004077EF
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                      • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                      Function 005F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 386 5f003c-5f0047 387 5f004c-5f0263 call 5f0a3f call 5f0e0f call 5f0d90 VirtualAlloc 386->387 388 5f0049 386->388 403 5f028b-5f0292 387->403 404 5f0265-5f0289 call 5f0a69 387->404 388->387 406 5f02a1-5f02b0 403->406 408 5f02ce-5f03c2 VirtualProtect call 5f0cce call 5f0ce7 404->408 406->408 409 5f02b2-5f02cc 406->409 415 5f03d1-5f03e0 408->415 409->406 416 5f0439-5f04b8 VirtualFree 415->416 417 5f03e2-5f0437 call 5f0ce7 415->417 419 5f04be-5f04cd 416->419 420 5f05f4-5f05fe 416->420 417->415 422 5f04d3-5f04dd 419->422 423 5f077f-5f0789 420->423 424 5f0604-5f060d 420->424 422->420 428 5f04e3-5f0505 LoadLibraryA 422->428 426 5f078b-5f07a3 423->426 427 5f07a6-5f07b0 423->427 424->423 429 5f0613-5f0637 424->429 426->427 430 5f086e-5f08be LoadLibraryA 427->430 431 5f07b6-5f07cb 427->431 432 5f0517-5f0520 428->432 433 5f0507-5f0515 428->433 434 5f063e-5f0648 429->434 438 5f08c7-5f08f9 430->438 435 5f07d2-5f07d5 431->435 436 5f0526-5f0547 432->436 433->436 434->423 437 5f064e-5f065a 434->437 439 5f07d7-5f07e0 435->439 440 5f0824-5f0833 435->440 441 5f054d-5f0550 436->441 437->423 442 5f0660-5f066a 437->442 443 5f08fb-5f0901 438->443 444 5f0902-5f091d 438->444 445 5f07e4-5f0822 439->445 446 5f07e2 439->446 450 5f0839-5f083c 440->450 447 5f0556-5f056b 441->447 448 5f05e0-5f05ef 441->448 449 5f067a-5f0689 442->449 443->444 445->435 446->440 451 5f056f-5f057a 447->451 452 5f056d 447->452 448->422 453 5f068f-5f06b2 449->453 454 5f0750-5f077a 449->454 450->430 455 5f083e-5f0847 450->455 461 5f057c-5f0599 451->461 462 5f059b-5f05bb 451->462 452->448 456 5f06ef-5f06fc 453->456 457 5f06b4-5f06ed 453->457 454->434 458 5f084b-5f086c 455->458 459 5f0849 455->459 463 5f06fe-5f0748 456->463 464 5f074b 456->464 457->456 458->450 459->430 469 5f05bd-5f05db 461->469 462->469 463->464 464->449 469->441
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005F024D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: cess$kernel32.dll
                                                                      • API String ID: 4275171209-1230238691
                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction ID: 4b65ce4eff50f675edf1d61a99df40599f3613a345a7b7b0bfdd16d4a1f72893
                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction Fuzzy Hash: B9526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB392DB34AE85DF14
                                                                      Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2098669666-2746444292
                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                      Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 502 404059-40405c 500->502 503 404052 501->503 504 404037-40403a 501->504 505 404054-404056 502->505 503->505 504->503 506 40403c-40403f 504->506 506->502 507 404041-404050 Sleep 506->507 507->499 507->503
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID:
                                                                      • API String ID: 408151869-0
                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                      Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                      Function 00403718 Relevance: 3.1, APIs: 2, Instructions: 110COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 509 403718-403734 call 40f04e 512 403849-40384e 509->512 513 40373a-40373b 509->513 514 40373c-403747 513->514 515 403847-403848 514->515 516 40374d-403753 514->516 515->512 517 403836-403839 516->517 518 403759-403770 call 403524 516->518 517->515 520 40383b-403841 517->520 522 403826-403830 518->522 523 403776-403780 518->523 520->514 520->515 522->516 522->517 524 40381c-40381e 523->524 525 403824 524->525 526 403785-40378b 524->526 525->522 526->525 527 403791-403796 526->527 528 403798-40379b 527->528 529 40380f-403819 527->529 528->529 530 40379d-4037a0 528->530 529->524 531 4037a3-4037a6 530->531 532 4037b3-4037c6 GetCurrentThreadId 531->532 533 4037a8-4037af 531->533 535 4037d4-4037dd 532->535 536 4037c8-4037d1 GetCurrentThreadId 532->536 533->531 534 4037b1 533->534 534->529 537 4037f5-4037f7 535->537 538 4037df-4037ee 535->538 536->535 540 4037f8-40380c 537->540 539 4037f0-4037f3 538->539 538->540 539->540 540->529
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem
                                                                      • String ID:
                                                                      • API String ID: 2086374402-0
                                                                      • Opcode ID: 5dfcc019ed47ccf545e98633f32ebd9cef86c567c83ccfa17dcce2386541df5a
                                                                      • Instruction ID: c77e3c3662200f4b45311faa76e4ca510bd461b46c102563d7fc0ec12242b992
                                                                      • Opcode Fuzzy Hash: 5dfcc019ed47ccf545e98633f32ebd9cef86c567c83ccfa17dcce2386541df5a
                                                                      • Instruction Fuzzy Hash: 1E415C75D00616EFCB20DF65C4805AEBBF9FF08706B1085BAE856A7791D334AE80CB94
                                                                      Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 541 406e36-406e5d GetUserNameW 542 406ebe-406ec2 541->542 543 406e5f-406e95 LookupAccountNameW 541->543 543->542 544 406e97-406e9b 543->544 545 406ebb-406ebd 544->545 546 406e9d-406ea3 544->546 545->542 546->545 547 406ea5-406eaa 546->547 548 406eb7-406eb9 547->548 549 406eac-406eb0 547->549 548->542 549->545 550 406eb2-406eb5 549->550 550->545 550->548
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID:
                                                                      • API String ID: 2370142434-0
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                      Function 007D1157 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 551 7d1157-7d1170 552 7d1172-7d1174 551->552 553 7d117b-7d1187 CreateToolhelp32Snapshot 552->553 554 7d1176 552->554 555 7d1189-7d118f 553->555 556 7d1197-7d11a4 Module32First 553->556 554->553 555->556 563 7d1191-7d1195 555->563 557 7d11ad-7d11b5 556->557 558 7d11a6-7d11a7 call 7d0e16 556->558 561 7d11ac 558->561 561->557 563->552 563->556
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007D117F
                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 007D119F
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134681317.00000000007CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 007CC000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7cc000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3833638111-0
                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction ID: cac90277bda2fe6d4a9b705e87546677d3aea421bfb73d944ff27b7edd088629
                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction Fuzzy Hash: 3EF0F635100718BFD7203BF4A88CB6F76F8AF49320F50062AF752912C0DB79EC068A61
                                                                      Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 564 5f0e0f-5f0e24 SetErrorMode * 2 565 5f0e2b-5f0e2c 564->565 566 5f0e26 564->566 566->565
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,005F0223,?,?), ref: 005F0E19
                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,005F0223,?,?), ref: 005F0E1E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction ID: d5a6bee1921c2ef6b516d6639c820d1612de59ea02b9ca9833ad81ad95a80bb3
                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction Fuzzy Hash: 21D0123154512CB7D7002A94DC09BDD7F1CDF05B62F048411FB0DD9081C774994046E5
                                                                      Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 567 406dc2-406dd5 568 406e33-406e35 567->568 569 406dd7-406df1 call 406cc9 call 40ef00 567->569 574 406df4-406df9 569->574 574->574 575 406dfb-406e00 574->575 576 406e02-406e22 GetVolumeInformationA 575->576 577 406e24 575->577 576->577 578 406e2e 576->578 577->578 578->568
                                                                      APIs
                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                      • String ID:
                                                                      • API String ID: 1823874839-0
                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                      Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 579 409892-4098c0 580 4098c2-4098c5 579->580 581 4098d9 579->581 580->581 582 4098c7-4098d7 580->582 583 4098e0-4098f1 SetServiceStatus 581->583 582->583
                                                                      APIs
                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ServiceStatus
                                                                      • String ID:
                                                                      • API String ID: 3969395364-0
                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                      Function 007D0E16 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 584 7d0e16-7d0e50 call 7d1129 587 7d0e9e 584->587 588 7d0e52-7d0e85 VirtualAlloc call 7d0ea3 584->588 587->587 590 7d0e8a-7d0e9c 588->590 590->587
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007D0E67
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134681317.00000000007CC000.00000040.00000020.00020000.00000000.sdmp, Offset: 007CC000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_7cc000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction ID: 8b439f4bdd3464e2fddd134fe37a346083c33e3afde01691a7959a409c3da3fd
                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction Fuzzy Hash: D8113F79A00208FFDB01DF98C985E99BBF5AF08350F058095F9489B362D375EA50DF80
                                                                      Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 591 4098f2-4098f4 592 4098f6-409902 call 404280 591->592 595 409904-409913 Sleep 592->595 596 409917 592->596 595->592 597 409915 595->597 598 409919-409942 call 402544 call 40977c 596->598 599 40995e-409960 596->599 597->596 603 409947-409957 call 40ee2a 598->603 603->599
                                                                      APIs
                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventSleep
                                                                      • String ID:
                                                                      • API String ID: 3100162736-0
                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED

                                                                      Non-executed Functions

                                                                      Function 005F65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 005F65F6
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 005F6610
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 005F6631
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005F6652
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction ID: a49562e8eacae7a58c173573b4e41ca400145c8051c494ba2e64521f2bda3d68
                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction Fuzzy Hash: 3411517260021DBFDB219F65DC4AFAB3FA8FB457A5F104024FA09E7251DBB5DD0086A4
                                                                      Function 005F9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32 ref: 005F9E6D
                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 005F9FE1
                                                                      • lstrcat.KERNEL32(?,?), ref: 005F9FF2
                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 005FA004
                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 005FA054
                                                                      • DeleteFileA.KERNEL32(?), ref: 005FA09F
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 005FA0D6
                                                                      • lstrcpy.KERNEL32 ref: 005FA12F
                                                                      • lstrlen.KERNEL32(00000022), ref: 005FA13C
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 005F9F13
                                                                        • Part of subcall function 005F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 005F7081
                                                                        • Part of subcall function 005F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rftxcrag,005F7043), ref: 005F6F4E
                                                                        • Part of subcall function 005F6F30: GetProcAddress.KERNEL32(00000000), ref: 005F6F55
                                                                        • Part of subcall function 005F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005F6F7B
                                                                        • Part of subcall function 005F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005F6F92
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 005FA1A2
                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005FA1C5
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 005FA214
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 005FA21B
                                                                      • GetDriveTypeA.KERNEL32(?), ref: 005FA265
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005FA29F
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005FA2C5
                                                                      • lstrcat.KERNEL32(?,00000022), ref: 005FA2D9
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005FA2F4
                                                                      • wsprintfA.USER32 ref: 005FA31D
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005FA345
                                                                      • lstrcat.KERNEL32(?,?), ref: 005FA364
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 005FA387
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 005FA398
                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005FA1D1
                                                                        • Part of subcall function 005F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 005F999D
                                                                        • Part of subcall function 005F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 005F99BD
                                                                        • Part of subcall function 005F9966: RegCloseKey.ADVAPI32(?), ref: 005F99C6
                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 005FA3DB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 005FA3E2
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 005FA41D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                      • String ID: "$"$"$D$P$\
                                                                      • API String ID: 1653845638-2605685093
                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction ID: f90b51214536ff5ba74288ddaa6788a4c0881a7a0f28f829f5aadc41c3ec345b
                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction Fuzzy Hash: 0DF131B1D4025DAFDF21DBA09C49EFE7BBCBB08304F1444A5E709E2141E7799A848F66
                                                                      Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                      Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                      Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$D
                                                                      • API String ID: 2976863881-2993797894
                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                      Function 005F7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 005F7D21
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005F7D46
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005F7D7D
                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 005F7DA2
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005F7DC0
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005F7DD1
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005F7DE5
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005F7DF3
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005F7E03
                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 005F7E12
                                                                      • LocalFree.KERNEL32(00000000), ref: 005F7E19
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005F7E35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$D
                                                                      • API String ID: 2976863881-2993797894
                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction ID: f07525e6cc20604ff230c06e1fb49398c6fdf1d4e5c46a99cb316ef664bf1c93
                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction Fuzzy Hash: F3A13D7190021DAFDB119FA4DD88BFEBFBDFB48300F14806AE605E6150DB798A85CB64
                                                                      Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                      Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                      Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                      Function 005F7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005F7A96
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005F7ACD
                                                                      • GetLengthSid.ADVAPI32(?), ref: 005F7ADF
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 005F7B01
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005F7B1F
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005F7B39
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005F7B4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005F7B58
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005F7B68
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 005F7B77
                                                                      • LocalFree.KERNEL32(00000000), ref: 005F7B7E
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005F7B9A
                                                                      • GetAce.ADVAPI32(?,?,?), ref: 005F7BCA
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005F7BF1
                                                                      • DeleteAce.ADVAPI32(?,?), ref: 005F7C0A
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005F7C2C
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005F7CB1
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005F7CBF
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 005F7CD0
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 005F7CE0
                                                                      • LocalFree.KERNEL32(00000000), ref: 005F7CEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: cb6c900d9f1c98eb6c023360f552dba4c4d49eed8afdb5de105dc5bf489a06d7
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: D2813B7190421EABDB11CFA4DD88FEEBFB8BF0C300F14816AE615E6150E7799A41CB64
                                                                      Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$localcfg
                                                                      • API String ID: 237177642-1530340706
                                                                      • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                      • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                      Function 00401280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-1839596206
                                                                      • Opcode ID: a0e9a54620e17a19c471557000c2f4691014b1237bb567fcc585c5994024cd6c
                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                      • Opcode Fuzzy Hash: a0e9a54620e17a19c471557000c2f4691014b1237bb567fcc585c5994024cd6c
                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                      Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                      Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 835516345-270533642
                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                      Function 005F858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 005F865A
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 005F867B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 005F86A8
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 005F86B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: "$C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe
                                                                      • API String ID: 237177642-2177103128
                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction ID: dd7e0c9c2fc13ee3119829f2b0a3c34975fc19175cdb5f7581a8b2fb481ea52c
                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction Fuzzy Hash: 61C19EB290010DBEEB11ABA4DD89EFE7FBDFB58300F144465F700E2051EAB94A848B65
                                                                      Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 00402A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 00402A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                      • select.WS2_32 ref: 00402B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                      Function 005F14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 005F1601
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 005F17D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $<$@$D
                                                                      • API String ID: 1628651668-1974347203
                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction ID: 1ee684ce89c35ee6e753ef361ff9f807e207956347c1ffc6c250cf0491a6bcc3
                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction Fuzzy Hash: CFF1AFB1508745DFD720DF64C988BABBBE4FB88300F10892DF69697290D7B8D944CB5A
                                                                      Function 005F7666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005F76D9
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 005F7757
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 005F778F
                                                                      • ___ascii_stricmp.LIBCMT ref: 005F78B4
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005F794E
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 005F796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005F797E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005F79AC
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005F7A56
                                                                        • Part of subcall function 005FF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,005F772A,?), ref: 005FF414
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 005F79F6
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005F7A4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction ID: 77ebde64b93ad353c75a91f6ef63055fea4a0e9f56a2d069e4b1eb9c67846c78
                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction Fuzzy Hash: 3EC1827190410EABDB119BA4DC49FFE7FB9FF49310F1040A5F644E6191EB799A84CB60
                                                                      Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 004070C2
                                                                      • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 0040719E
                                                                      • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 004071B2
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407208
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407291
                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004072D0
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 00407314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 004073D8
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"
                                                                      • API String ID: 4293430545-3817095088
                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                      Function 005F2CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005F2CED
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 005F2D07
                                                                      • htons.WS2_32(00000000), ref: 005F2D42
                                                                      • select.WS2_32 ref: 005F2D8F
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 005F2DB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005F2E62
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 127016686-0
                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction ID: 7eb36d097d3881ef56d45226cbd3f4414d54ea7ddded5be8be80b75df218c9a2
                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction Fuzzy Hash: BE61D0B1508309ABC3209F60DC09B7BBFF8FB88341F104819FB8497251D7B9D8808BA6
                                                                      Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                      Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                      Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,76230F10,00000000), ref: 0040688B
                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 00406906
                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,76230F10,00000000), ref: 0040691C
                                                                      • CloseHandle.KERNEL32(000000FF,?,76230F10,00000000), ref: 00406971
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 2622201749-0
                                                                      • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                      • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                      Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: runas
                                                                      • API String ID: 3696105349-4000483414
                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                      Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                      Function 005F1FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 005F202D
                                                                      • GetSystemInfo.KERNEL32(?), ref: 005F204F
                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 005F206A
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005F2071
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 005F2082
                                                                      • GetTickCount.KERNEL32 ref: 005F2230
                                                                        • Part of subcall function 005F1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 005F1E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                      • API String ID: 4207808166-1391650218
                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction ID: 4eb807b83a2781317ed46168a622f37c900e0325f6c3aa587934fb172b4dd1af
                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction Fuzzy Hash: 555191B050074DAFE320AF658C8AF77BEECFB94704F00491DFA9682152D6BDA944C769
                                                                      Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                      Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                      Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2404124870-0
                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                      Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                      Function 005F3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 005F3068
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 005F3078
                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 005F3095
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005F30B6
                                                                      • htons.WS2_32(00000035), ref: 005F30EF
                                                                      • inet_addr.WS2_32(?), ref: 005F30FA
                                                                      • gethostbyname.WS2_32(?), ref: 005F310D
                                                                      • HeapFree.KERNEL32(00000000), ref: 005F314D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: iphlpapi.dll
                                                                      • API String ID: 2869546040-3565520932
                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction ID: 28c77ffafc7d2a64c83b2ceb9db5dd5b507cf1358e21a5c9814c36123211ea41
                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction Fuzzy Hash: FE318731A0060EABEB119BB49C48EBE7F78BF05760F144165E618E7290DB78DE41CB54
                                                                      Function 005F958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?), ref: 005F95A7
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005F95D5
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005F95DC
                                                                      • wsprintfA.USER32 ref: 005F9635
                                                                      • wsprintfA.USER32 ref: 005F9673
                                                                      • wsprintfA.USER32 ref: 005F96F4
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 005F9758
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005F978D
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005F97D8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID:
                                                                      • API String ID: 3696105349-0
                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction ID: 7e12a67df7d257f43d5a0e8c8b4f4089f24191dcc0d8fdbfaf36d626f8fde2dc
                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction Fuzzy Hash: D7A170B190060DEBEB21EFA0CC49FEA3FACFB45740F104026FA1596151E7B9D984CBA5
                                                                      Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 3560063639-3847274415
                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                      Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-1625972887
                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                      Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 3188212458-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                      Function 005F6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 005F67C3
                                                                      • htonl.WS2_32(?), ref: 005F67DF
                                                                      • htonl.WS2_32(?), ref: 005F67EE
                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 005F68F1
                                                                      • ExitProcess.KERNEL32 ref: 005F69BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                      • String ID: except_info$localcfg
                                                                      • API String ID: 1150517154-3605449297
                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction ID: cc3be65694bdd9221a82fa58b1b2846e441fb8b797f0b2d288f2be0954f3c562
                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction Fuzzy Hash: 69616071940208AFDB609FB4DC45FEA7BE9FF48300F14806AFA6DD2161DAB59990CF54
                                                                      Function 005FF57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(005FCC84), ref: 005FF5B4
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 005FF5CE
                                                                      • closesocket.WS2_32(00000000), ref: 005FF5DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction ID: 65cb0304a9ead31711ef45e4eef9f089d35efe6f0ff2c71945dbe963592d3487
                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction Fuzzy Hash: 02314B7290011DABDB109FA5EC899EF7BBCFF88310F104566FA15D3150EB749A818BA4
                                                                      Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                      • wsprintfA.USER32 ref: 00407036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                      Function 005F2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?), ref: 005F2FA1
                                                                      • LoadLibraryA.KERNEL32(?), ref: 005F2FB1
                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 005F2FC8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005F3000
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005F3007
                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 005F3032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: dnsapi.dll
                                                                      • API String ID: 1242400761-3175542204
                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction ID: 6e4bebfaa78a162eaf0f1b2bee331d1bdbe49a020d7fbf40df2c77effd4ebf30
                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction Fuzzy Hash: D521317194162AEBDB219B55DC499BEBFBCFF08B50F104421FA05E7140D7B89A8187D4
                                                                      Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                      • API String ID: 1082366364-3395550214
                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                      Function 005F99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005F9A18
                                                                      • GetThreadContext.KERNEL32(?,?), ref: 005F9A52
                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 005F9A60
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005F9A98
                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 005F9AB5
                                                                      • ResumeThread.KERNEL32(?), ref: 005F9AC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction ID: 02b8497f8199d2bddf8f0bf061fdbde998c3a6ca4a016353ae8877bbf4a58345
                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction Fuzzy Hash: 7F211971901119BBDB219BA1DC09EEFBFBCEF04750F404061BA19E1150EA758A84CAA4
                                                                      Function 005F1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(004102D8), ref: 005F1C18
                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 005F1C26
                                                                      • GetProcessHeap.KERNEL32 ref: 005F1C84
                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 005F1C9D
                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 005F1CC1
                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 005F1D02
                                                                      • FreeLibrary.KERNEL32(?), ref: 005F1D0B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                      • String ID:
                                                                      • API String ID: 2324436984-0
                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction ID: 41dbf5b38a8b6fcf061f4414cfddd7d377b699146aa7d8bddfe3eaf24b5f74e8
                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction Fuzzy Hash: FB311D31D0065DEFCB119FA4DC888BEBFB9FB45751B24447AE601E6110D7B94E80DB98
                                                                      Function 005F6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 005F6CE4
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 005F6D22
                                                                      • GetLastError.KERNEL32 ref: 005F6DA7
                                                                      • CloseHandle.KERNEL32(?), ref: 005F6DB5
                                                                      • GetLastError.KERNEL32 ref: 005F6DD6
                                                                      • DeleteFileA.KERNEL32(?), ref: 005F6DE7
                                                                      • GetLastError.KERNEL32 ref: 005F6DFD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                      • String ID:
                                                                      • API String ID: 3873183294-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: a55903d658681f225e11a726248d28e4c52e9f655831273052e500068c568db1
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 2131EE76A0024DBFCB019FA49D49AEF7F79FB88300F148565E311E3221D7748A858B61
                                                                      Function 005F6F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\rftxcrag,005F7043), ref: 005F6F4E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005F6F55
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005F6F7B
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005F6F92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\rftxcrag
                                                                      • API String ID: 1082366364-666812975
                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction ID: ce315f71f48a5ba712b8de31b18a05e67e724aed6281589f66009ec13e9d8a40
                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction Fuzzy Hash: BE21312174134D7AF3225330AC8DFFB2E4CAF96720F0840A5F600E6592DADD88D6C2AD
                                                                      Function 005FAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: $localcfg
                                                                      • API String ID: 1659193697-2018645984
                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction ID: 02e76b63e47d78e53e8f277c7e1c015ec2e135456a7076a562dbcd44bd541472
                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction Fuzzy Hash: D77116F1A4030DAADF219A54DC8ABFE3F69BB40345F244426FB0DA6091DB6E8D848757
                                                                      Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                      Function 005FE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005FDF6C: GetCurrentThreadId.KERNEL32 ref: 005FDFBA
                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 005FE8FA
                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,005F6128), ref: 005FE950
                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 005FE989
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 2920362961-1846390581
                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction ID: 64aef65ee3716fb073030091fbba92defc22e6a57776ae0b1967515457a96c7b
                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction Fuzzy Hash: B031903160070D9BDB718F24C98ABBA7FE5FB55720F10892AF75587561D3B8E880CBA1
                                                                      Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                      Function 005F6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction ID: 2fd8dd7f18a45043bb7dd4bd753414e55af6c299bf7a9c3f8227a14bdb4970d4
                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction Fuzzy Hash: 66214D7720411DBFDB109B60FC49EEF7FADEB49360B208425F702D1091EB799A409674
                                                                      Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                      Function 005F92CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 005F92E2
                                                                      • wsprintfA.USER32 ref: 005F9350
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005F9375
                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 005F9389
                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 005F9394
                                                                      • CloseHandle.KERNEL32(00000000), ref: 005F939B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction ID: 9317a40d8a9fb2a86f53fe4eef57991c59a5d2f97d87d79aaf19ff5450343425
                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction Fuzzy Hash: 901172B66401197BE7216731EC0EFFF3E6DEFC8B10F008065BB09A6091EAB84A418665
                                                                      Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                      • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,0040E538,?,76230F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                      Function 005FC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 005FC6B4
                                                                      • InterlockedIncrement.KERNEL32(005FC74B), ref: 005FC715
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,005FC747), ref: 005FC728
                                                                      • CloseHandle.KERNEL32(00000000,?,005FC747,00413588,005F8A77), ref: 005FC733
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 1026198776-1857712256
                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction ID: b4b824d724612763a758cfbc63356924f2291c74374ac0eb13529adb4031e2ae
                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction Fuzzy Hash: 5C513FB1A05B498FD7249F69C6C5526BFE9FB88300B50593EE28BC7A90D778F844CB10
                                                                      Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 0040815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 004081BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 00408210
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 0040677E
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 0040679A
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 004067B0
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 004067BF
                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 004067D3
                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,76230F10,00000000), ref: 00406807
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040681F
                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 0040683E
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 0040685C
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe
                                                                      • API String ID: 124786226-3652848383
                                                                      • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                      • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                      Function 005FE2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,005FE50A,00000000,00000000,00000000,00020106,00000000,005FE50A,00000000,000000E4), ref: 005FE319
                                                                      • RegSetValueExA.ADVAPI32(005FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005FE38E
                                                                      • RegDeleteValueA.ADVAPI32(005FE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D_), ref: 005FE3BF
                                                                      • RegCloseKey.ADVAPI32(005FE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D_,005FE50A), ref: 005FE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: D_
                                                                      • API String ID: 2667537340-2347782904
                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction ID: 1b7ffa3c550cd6f021caa655ed7ef598f7e57bdebd60be57299fd8b8e863e7b0
                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction Fuzzy Hash: 84218031A0021DBBDF209FA4EC8AEEE7F78EF08750F048431FA04E6061E2719A54D790
                                                                      Function 005F71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005F71E1
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005F7228
                                                                      • LocalFree.KERNEL32(?,?,?), ref: 005F7286
                                                                      • wsprintfA.USER32 ref: 005F729D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                      • String ID: |
                                                                      • API String ID: 2539190677-2343686810
                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction ID: ffe9d0e9c240da61aecada4a404fc0b974d8b2c03a95d54ddad8ec55c0544eeb
                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction Fuzzy Hash: 84310B7690410DBBDB01DFA8DC49AEA7FACFF08314F148066F959DB101EB79D6488B94
                                                                      Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                      Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID:
                                                                      • API String ID: 1586453840-0
                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                      Function 005FB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 005FB51A
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005FB529
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005FB548
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 005FB590
                                                                      • wsprintfA.USER32 ref: 005FB61E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                      • String ID:
                                                                      • API String ID: 4026320513-0
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 0eed2b768c2e57acbf72b574aa4d5fac5d78c0c25fe765ccd4f5ff1692b861c8
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: 76511DB1D0021DEADF14DFD5D8895FEBBB9BF48304F10852AE601A6150E7B84AC9CF98
                                                                      Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID:
                                                                      • API String ID: 1371578007-0
                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                      Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                      Function 005F62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 005F6303
                                                                      • LoadLibraryA.KERNEL32(?), ref: 005F632A
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 005F63B1
                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 005F6405
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 3498078134-0
                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction ID: 9350fc3384c7618129940a482112ed808e8824c63ec28b52c3226e01b141ac8c
                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction Fuzzy Hash: 67416C71A0020EEFDB14CF58C884AB9BBB8FF04358F248969EA15D7290E779ED40DB50
                                                                      Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                      Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,00405EC1), ref: 0040E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                      • lstrcmpA.KERNEL32(?,00000008,?,76230F10,00000000,?,00405EC1), ref: 0040E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: A$ A
                                                                      • API String ID: 3343386518-686259309
                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                      Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1802437671-0
                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                      Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                      Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                      Function 005F93AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005F93C6
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005F93CD
                                                                      • CharToOemA.USER32(?,?), ref: 005F93DB
                                                                      • wsprintfA.USER32 ref: 005F9410
                                                                        • Part of subcall function 005F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 005F92E2
                                                                        • Part of subcall function 005F92CB: wsprintfA.USER32 ref: 005F9350
                                                                        • Part of subcall function 005F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005F9375
                                                                        • Part of subcall function 005F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 005F9389
                                                                        • Part of subcall function 005F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 005F9394
                                                                        • Part of subcall function 005F92CB: CloseHandle.KERNEL32(00000000), ref: 005F939B
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005F9448
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction ID: b35f7be51367398d91a706b838e8596f89ae3bd0e01bcffb72c1512c8842c02b
                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction Fuzzy Hash: 600152F69001197BDB21A7619D4DFEF3B7CEB95701F0040A1BB49E2080EAB896C58F75
                                                                      Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                      Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 2574300362-1087626847
                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                      Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2777991786-2393279970
                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                      Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID: *p@
                                                                      • API String ID: 3429775523-2474123842
                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                      Function 005F28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg$u6A
                                                                      • API String ID: 1594361348-1940331995
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: fec5bf796ca797894756f1667621db095f25e0209a1351d721d1571ef19b702b
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 82E0C7306082218FCB008B2CF848AEA3BE4FF0A330F008180F180C32A2C778DCC0AB80
                                                                      Function 005F69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 005F69E5
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 005F6A26
                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 005F6A3A
                                                                      • CloseHandle.KERNEL32(000000FF), ref: 005F6BD8
                                                                        • Part of subcall function 005FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005F1DCF,?), ref: 005FEEA8
                                                                        • Part of subcall function 005FEE95: HeapFree.KERNEL32(00000000), ref: 005FEEAF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 3384756699-0
                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction ID: c02441fa22aecc5a2d975fedce49d3c3861348177a7c8a88a0749f0d8f9c70a2
                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction Fuzzy Hash: D171157190021DEFDB109FA4CD85AFEBFB9FB04314F10456AEA15E6190D7389E92DB60
                                                                      Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                      Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                      Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                      Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                      Function 005F417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005F41AB
                                                                      • GetLastError.KERNEL32 ref: 005F41B5
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005F41C6
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F41D9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 5569af926d0707c4ad44251ac59c7278ff49bcb9d0fe7bc9924661cae7ca75a9
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: A701927691110EABDB01DF91ED84BEB7BA8BB18355F108461FA01E2050D774AAA4CBA6
                                                                      Function 005F41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005F421F
                                                                      • GetLastError.KERNEL32 ref: 005F4229
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005F423A
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F424D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 31f8dac4be47e35367be13c990cfbf1cc3648be7ced4230639fabc521db5127f
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: EA019072911209ABDF01DF90EE84BEF7BACFB08356F108461FA01E2050D774AA549BA6
                                                                      Function 005FE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 005FE066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 1534048567-1846390581
                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction ID: a3a973a1b34d371441ab2d6a7e08cc8fed27dec50f9177626367e3d8274b0535
                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction Fuzzy Hash: 24F06831200705DBCB20CF15D888992BBEDFB05321B548B2AE254C3070D7B8A895CB55
                                                                      Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                      Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                      Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                      Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                      Function 005FE3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,D_,00000000,00000000,00000000), ref: 005FE470
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 005FE484
                                                                        • Part of subcall function 005FE2FC: RegCreateKeyExA.ADVAPI32(80000001,005FE50A,00000000,00000000,00000000,00020106,00000000,005FE50A,00000000,000000E4), ref: 005FE319
                                                                        • Part of subcall function 005FE2FC: RegSetValueExA.ADVAPI32(005FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005FE38E
                                                                        • Part of subcall function 005FE2FC: RegDeleteValueA.ADVAPI32(005FE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D_), ref: 005FE3BF
                                                                        • Part of subcall function 005FE2FC: RegCloseKey.ADVAPI32(005FE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D_,005FE50A), ref: 005FE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: D_
                                                                      • API String ID: 4151426672-2347782904
                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction ID: 44c35db9b710ac2ff0210992c75c6d7255ab76122710944bfd6a9c602fd7c56e
                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction Fuzzy Hash: A541ACB190021DBAEB206A558C4BFFF3F6CFB44714F148025FB09941A2E7B98A50DA75
                                                                      Function 005F8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 005F83C6
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 005F8477
                                                                        • Part of subcall function 005F69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 005F69E5
                                                                        • Part of subcall function 005F69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 005F6A26
                                                                        • Part of subcall function 005F69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 005F6A3A
                                                                        • Part of subcall function 005FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005F1DCF,?), ref: 005FEEA8
                                                                        • Part of subcall function 005FEE95: HeapFree.KERNEL32(00000000), ref: 005FEEAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe
                                                                      • API String ID: 359188348-3652848383
                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction ID: 0e85419026b02a645d4c09781bf51602d2d5860d7c4f6b477b95420cf8204464
                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction Fuzzy Hash: A3414FB290010EBEEF10EBA49E89DFF7F6CFB44344F144466E704D6151EAB85A988B64
                                                                      Function 005FAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 005FAFFF
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005FB00D
                                                                        • Part of subcall function 005FAF6F: gethostname.WS2_32(?,00000080), ref: 005FAF83
                                                                        • Part of subcall function 005FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 005FAFE6
                                                                        • Part of subcall function 005F331C: gethostname.WS2_32(?,00000080), ref: 005F333F
                                                                        • Part of subcall function 005F331C: gethostbyname.WS2_32(?), ref: 005F3349
                                                                        • Part of subcall function 005FAA0A: inet_ntoa.WS2_32(00000000), ref: 005FAA10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %OUTLOOK_BND_
                                                                      • API String ID: 1981676241-3684217054
                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction ID: f0e55b135e103e88dc87df0b1f7f7f0bfb3ab1e31362ba1612af1a1613352e87
                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction Fuzzy Hash: 1941327290020DABDB25EFA0DC4AEEF3B6CFF44304F144426FA2592152EB79E654CB55
                                                                      Function 005F9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 005F9536
                                                                      • Sleep.KERNEL32(000001F4), ref: 005F955D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-3916222277
                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction ID: 19163c3522f35391a353d57a832c5d40218fa1b851af3b631b86050d5599ed4c
                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction Fuzzy Hash: 134125B1C0878D6EEF378B68D89D7B67FA4BF52314F2800A5D682971A2D6BC4D818711
                                                                      Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID: ,k@
                                                                      • API String ID: 3934441357-1053005162
                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                      Function 005FBC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 005FB9D9
                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 005FBA3A
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005FBA94
                                                                      • GetTickCount.KERNEL32 ref: 005FBB79
                                                                      • GetTickCount.KERNEL32 ref: 005FBB99
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005FBE15
                                                                      • closesocket.WS2_32(00000000), ref: 005FBEB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 1869671989-2903620461
                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction ID: fcc3de7754ce5ac75bff224aa67382dc8c9dc4b1def7626520a27760dcdb3a9d
                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction Fuzzy Hash: 79314B7150024CDFEF25DFA4DC89AF97BA8FB48700F204456FB2482161EB79DA85CB15
                                                                      Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                      Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                      Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                      Function 005F709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 005F70BC
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 005F70F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID: |
                                                                      • API String ID: 2370142434-2343686810
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: ec50d017694d84dfb9097ee4891731fa1700a396d11bf6f78b8f198b39f97e4a
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: 8D11097290411CEBDF21CFE4DC84EEEBBBDBB08711F1441A6E601E6190D6749B88DBA0
                                                                      Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2777991786-1857712256
                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                      Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                      Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                      Function 00409961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(hvjnshqw,Function_00009867), ref: 0040996C
                                                                        • Part of subcall function 00409892: SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                        • Part of subcall function 004098F2: Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                      • String ID: Xd|$hvjnshqw
                                                                      • API String ID: 1317371667-1444363091
                                                                      • Opcode ID: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                      • Instruction ID: 8090f714d00e8c700c7feefac428721607cdcb0429ac14865b211bf96103553c
                                                                      • Opcode Fuzzy Hash: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                      • Instruction Fuzzy Hash: 55F054F2550308AEE2106F616D87B537548A711349F08C03FB919693D3EBBD4D44822D
                                                                      Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                      Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75B4EA50,80000001,00000000), ref: 0040EAF2
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                      Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134431058.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                      Function 005F3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005F2F88: GetModuleHandleA.KERNEL32(?), ref: 005F2FA1
                                                                        • Part of subcall function 005F2F88: LoadLibraryA.KERNEL32(?), ref: 005F2FB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005F31DA
                                                                      • HeapFree.KERNEL32(00000000), ref: 005F31E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2134570689.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5f0000_xnjytljr.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction ID: cad2dbf37db1abde54b8ee389ff4aad75ca83dc0808490cf1729895b043aaf9d
                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction Fuzzy Hash: 1751BA7590020AAFDF01DF64D8889FABB79FF15300F244568EE96C7211EB36DA19CB90

                                                                      Execution Graph

                                                                      Execution Coverage:14.6%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0.7%
                                                                      Total number of Nodes:1807
                                                                      Total number of Limit Nodes:18
                                                                      execution_graph 7906 2b45d34 IsBadWritePtr 7907 2b45d47 7906->7907 7908 2b45d4a 7906->7908 7911 2b45389 7908->7911 7912 2b44bd1 4 API calls 7911->7912 7913 2b453a5 7912->7913 7914 2b44ae6 8 API calls 7913->7914 7916 2b453ad 7914->7916 7915 2b44ae6 8 API calls 7915->7916 7916->7915 7917 2b45407 7916->7917 7918 2b4be31 lstrcmpiA 7919 2b4be55 lstrcmpiA 7918->7919 7925 2b4be71 7918->7925 7920 2b4be61 lstrcmpiA 7919->7920 7919->7925 7923 2b4bfc8 7920->7923 7920->7925 7921 2b4bf62 lstrcmpiA 7922 2b4bf77 lstrcmpiA 7921->7922 7926 2b4bf70 7921->7926 7924 2b4bf8c lstrcmpiA 7922->7924 7922->7926 7924->7926 7925->7921 7930 2b4ebcc 4 API calls 7925->7930 7926->7923 7927 2b4bfc2 7926->7927 7929 2b4ec2e codecvt 4 API calls 7926->7929 7928 2b4ec2e codecvt 4 API calls 7927->7928 7928->7923 7929->7926 7933 2b4beb6 7930->7933 7931 2b4bf5a 7931->7921 7932 2b4ebcc 4 API calls 7932->7933 7933->7921 7933->7923 7933->7931 7933->7932 7934 2b435a5 7935 2b430fa 4 API calls 7934->7935 7936 2b435b3 7935->7936 7940 2b435ea 7936->7940 7941 2b4355d 7936->7941 7938 2b435da 7939 2b4355d 4 API calls 7938->7939 7938->7940 7939->7940 7942 2b4f04e 4 API calls 7941->7942 7943 2b4356a 7942->7943 7943->7938 8102 2b44960 8103 2b4496d 8102->8103 8105 2b4497d 8102->8105 8104 2b4ebed 8 API calls 8103->8104 8104->8105 7944 2b45e21 7945 2b45e36 7944->7945 7946 2b45e29 7944->7946 7948 2b450dc 7946->7948 7949 2b44bd1 4 API calls 7948->7949 7950 2b450f2 7949->7950 7951 2b44ae6 8 API calls 7950->7951 7957 2b450ff 7951->7957 7952 2b45130 7954 2b44ae6 8 API calls 7952->7954 7953 2b44ae6 8 API calls 7956 2b45110 lstrcmpA 7953->7956 7955 2b45138 7954->7955 7959 2b44ae6 8 API calls 7955->7959 7966 2b4516e 7955->7966 7990 2b4513e 7955->7990 7956->7952 7956->7957 7957->7952 7957->7953 7958 2b44ae6 8 API calls 7957->7958 7958->7957 7962 2b4515e 7959->7962 7960 2b44ae6 8 API calls 7961 2b451b6 7960->7961 7991 2b44a3d 7961->7991 7964 2b44ae6 8 API calls 7962->7964 7962->7966 7964->7966 7966->7960 7966->7990 7967 2b44ae6 8 API calls 7968 2b451c7 7967->7968 7969 2b44ae6 8 API calls 7968->7969 7970 2b451d7 7969->7970 7971 2b44ae6 8 API calls 7970->7971 7972 2b451e7 7971->7972 7973 2b44ae6 8 API calls 7972->7973 7972->7990 7974 2b45219 7973->7974 7975 2b44ae6 8 API calls 7974->7975 7976 2b45227 7975->7976 7977 2b44ae6 8 API calls 7976->7977 7978 2b4524f lstrcpyA 7977->7978 7979 2b44ae6 8 API calls 7978->7979 7983 2b45263 7979->7983 7980 2b44ae6 8 API calls 7981 2b45315 7980->7981 7982 2b44ae6 8 API calls 7981->7982 7984 2b45323 7982->7984 7983->7980 7985 2b44ae6 8 API calls 7984->7985 7987 2b45331 7985->7987 7986 2b44ae6 8 API calls 7986->7987 7987->7986 7988 2b44ae6 8 API calls 7987->7988 7987->7990 7989 2b45351 lstrcmpA 7988->7989 7989->7987 7989->7990 7990->7945 7992 2b44a53 7991->7992 7993 2b44a4a 7991->7993 7995 2b44a78 7992->7995 7996 2b4ebed 8 API calls 7992->7996 7994 2b4ebed 8 API calls 7993->7994 7994->7992 7997 2b44aa3 7995->7997 7998 2b44a8e 7995->7998 7996->7995 7999 2b44a9b 7997->7999 8000 2b4ebed 8 API calls 7997->8000 7998->7999 8001 2b4ec2e codecvt 4 API calls 7998->8001 7999->7967 8000->7999 8001->7999 8106 2b44861 IsBadWritePtr 8107 2b44876 8106->8107 8108 2b49961 RegisterServiceCtrlHandlerA 8109 2b4997d 8108->8109 8116 2b499cb 8108->8116 8118 2b49892 8109->8118 8111 2b4999a 8112 2b499ba 8111->8112 8113 2b49892 SetServiceStatus 8111->8113 8114 2b49892 SetServiceStatus 8112->8114 8112->8116 8115 2b499aa 8113->8115 8114->8116 8115->8112 8117 2b498f2 41 API calls 8115->8117 8117->8112 8119 2b498c2 SetServiceStatus 8118->8119 8119->8111 8002 2b45029 8007 2b44a02 8002->8007 8008 2b44a12 8007->8008 8009 2b44a18 8007->8009 8010 2b4ec2e codecvt 4 API calls 8008->8010 8011 2b4ec2e codecvt 4 API calls 8009->8011 8012 2b44a26 8009->8012 8010->8009 8011->8012 8013 2b4ec2e codecvt 4 API calls 8012->8013 8014 2b44a34 8012->8014 8013->8014 6133 2b49a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6249 2b4ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6133->6249 6135 2b49a95 6136 2b49aa3 GetModuleHandleA GetModuleFileNameA 6135->6136 6143 2b4a3cc 6135->6143 6149 2b49ac4 6136->6149 6137 2b4a41c CreateThread WSAStartup 6250 2b4e52e 6137->6250 7325 2b4405e CreateEventA 6137->7325 6139 2b49afd GetCommandLineA 6150 2b49b22 6139->6150 6140 2b4a406 DeleteFileA 6142 2b4a40d 6140->6142 6140->6143 6141 2b4a445 6269 2b4eaaf 6141->6269 6142->6137 6143->6137 6143->6140 6143->6142 6145 2b4a3ed GetLastError 6143->6145 6145->6142 6147 2b4a3f8 Sleep 6145->6147 6146 2b4a44d 6273 2b41d96 6146->6273 6147->6140 6149->6139 6153 2b49c0c 6150->6153 6160 2b49b47 6150->6160 6151 2b4a457 6321 2b480c9 6151->6321 6513 2b496aa 6153->6513 6164 2b49b96 lstrlenA 6160->6164 6167 2b49b58 6160->6167 6161 2b4a1d2 6168 2b4a1e3 GetCommandLineA 6161->6168 6162 2b49c39 6165 2b4a167 GetModuleHandleA GetModuleFileNameA 6162->6165 6519 2b44280 CreateEventA 6162->6519 6164->6167 6166 2b49c05 ExitProcess 6165->6166 6170 2b4a189 6165->6170 6167->6166 6472 2b4675c 6167->6472 6193 2b4a205 6168->6193 6170->6166 6176 2b4a1b2 GetDriveTypeA 6170->6176 6176->6166 6179 2b4a1c5 6176->6179 6620 2b49145 GetModuleHandleA GetModuleFileNameA CharToOemA 6179->6620 6180 2b4675c 21 API calls 6182 2b49c79 6180->6182 6182->6165 6189 2b49ca0 GetTempPathA 6182->6189 6190 2b49e3e 6182->6190 6183 2b49bff 6183->6166 6185 2b4a491 6186 2b4a49f GetTickCount 6185->6186 6187 2b4a4be Sleep 6185->6187 6192 2b4a4b7 GetTickCount 6185->6192 6368 2b4c913 6185->6368 6186->6185 6186->6187 6187->6185 6189->6190 6191 2b49cba 6189->6191 6196 2b49e6b GetEnvironmentVariableA 6190->6196 6201 2b49e04 6190->6201 6545 2b499d2 lstrcpyA 6191->6545 6192->6187 6197 2b4a285 lstrlenA 6193->6197 6204 2b4a239 6193->6204 6200 2b49e7d 6196->6200 6196->6201 6197->6204 6202 2b499d2 16 API calls 6200->6202 6615 2b4ec2e 6201->6615 6203 2b49e9d 6202->6203 6203->6201 6210 2b49eb0 lstrcpyA lstrlenA 6203->6210 6628 2b46ec3 6204->6628 6207 2b49d5f 6559 2b46cc9 6207->6559 6208 2b49cf6 6568 2b49326 6208->6568 6209 2b4a3c2 6632 2b498f2 6209->6632 6213 2b49ef4 6210->6213 6217 2b46dc2 6 API calls 6213->6217 6218 2b49f03 6213->6218 6214 2b4a39d StartServiceCtrlDispatcherA 6214->6209 6215 2b49d72 lstrcpyA lstrcatA lstrcatA 6215->6208 6216 2b4a3c7 6216->6143 6217->6218 6219 2b49f32 RegOpenKeyExA 6218->6219 6220 2b49f48 RegSetValueExA RegCloseKey 6219->6220 6224 2b49f70 6219->6224 6220->6224 6222 2b4a35f 6222->6209 6222->6214 6229 2b49f9d GetModuleHandleA GetModuleFileNameA 6224->6229 6225 2b49e0c DeleteFileA 6225->6190 6226 2b49dde GetFileAttributesExA 6226->6225 6228 2b49df7 6226->6228 6228->6201 6605 2b496ff 6228->6605 6231 2b49fc2 6229->6231 6232 2b4a093 6229->6232 6231->6232 6237 2b49ff1 GetDriveTypeA 6231->6237 6233 2b4a103 CreateProcessA 6232->6233 6236 2b4a0a4 wsprintfA 6232->6236 6234 2b4a13a 6233->6234 6235 2b4a12a DeleteFileA 6233->6235 6234->6201 6241 2b496ff 3 API calls 6234->6241 6235->6234 6611 2b42544 6236->6611 6237->6232 6239 2b4a00d 6237->6239 6244 2b4a02d lstrcatA 6239->6244 6241->6201 6245 2b4a046 6244->6245 6246 2b4a064 lstrcatA 6245->6246 6247 2b4a052 lstrcatA 6245->6247 6246->6232 6248 2b4a081 lstrcatA 6246->6248 6247->6246 6248->6232 6249->6135 6639 2b4dd05 GetTickCount 6250->6639 6252 2b4e538 6647 2b4dbcf 6252->6647 6254 2b4e544 6255 2b4e555 GetFileSize 6254->6255 6259 2b4e5b8 6254->6259 6256 2b4e566 6255->6256 6257 2b4e5b1 CloseHandle 6255->6257 6671 2b4db2e 6256->6671 6257->6259 6657 2b4e3ca RegOpenKeyExA 6259->6657 6261 2b4e576 ReadFile 6261->6257 6263 2b4e58d 6261->6263 6675 2b4e332 6263->6675 6265 2b4e5f2 6267 2b4e629 6265->6267 6268 2b4e3ca 19 API calls 6265->6268 6267->6141 6268->6267 6270 2b4eabe 6269->6270 6272 2b4eaba 6269->6272 6271 2b4dd05 6 API calls 6270->6271 6270->6272 6271->6272 6272->6146 6274 2b4ee2a 6273->6274 6275 2b41db4 GetVersionExA 6274->6275 6276 2b41dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6275->6276 6278 2b41e24 6276->6278 6279 2b41e16 GetCurrentProcess 6276->6279 6733 2b4e819 6278->6733 6279->6278 6281 2b41e3d 6282 2b4e819 11 API calls 6281->6282 6283 2b41e4e 6282->6283 6284 2b41e77 6283->6284 6774 2b4df70 6283->6774 6740 2b4ea84 6284->6740 6287 2b41e6c 6289 2b4df70 12 API calls 6287->6289 6289->6284 6290 2b4e819 11 API calls 6291 2b41e93 6290->6291 6744 2b4199c inet_addr LoadLibraryA 6291->6744 6294 2b4e819 11 API calls 6295 2b41eb9 6294->6295 6296 2b4f04e 4 API calls 6295->6296 6303 2b41ed8 6295->6303 6298 2b41ec9 6296->6298 6297 2b4e819 11 API calls 6299 2b41eee 6297->6299 6300 2b4ea84 30 API calls 6298->6300 6301 2b41f0a 6299->6301 6758 2b41b71 6299->6758 6300->6303 6302 2b4e819 11 API calls 6301->6302 6306 2b41f23 6302->6306 6303->6297 6305 2b41efd 6307 2b4ea84 30 API calls 6305->6307 6308 2b41f3f 6306->6308 6762 2b41bdf 6306->6762 6307->6301 6310 2b4e819 11 API calls 6308->6310 6312 2b41f5e 6310->6312 6314 2b41f77 6312->6314 6316 2b4ea84 30 API calls 6312->6316 6313 2b4ea84 30 API calls 6313->6308 6770 2b430b5 6314->6770 6316->6314 6318 2b46ec3 2 API calls 6320 2b41f8e GetTickCount 6318->6320 6320->6151 6322 2b46ec3 2 API calls 6321->6322 6323 2b480eb 6322->6323 6324 2b480ef 6323->6324 6325 2b480f9 6323->6325 6828 2b47ee6 6324->6828 6841 2b4704c 6325->6841 6328 2b48269 CreateThread 6347 2b45e6c 6328->6347 7303 2b4877e 6328->7303 6329 2b480f4 6329->6328 6331 2b4675c 21 API calls 6329->6331 6330 2b48110 6330->6329 6332 2b48156 RegOpenKeyExA 6330->6332 6337 2b48244 6331->6337 6333 2b48216 6332->6333 6334 2b4816d RegQueryValueExA 6332->6334 6333->6329 6335 2b481f7 6334->6335 6336 2b4818d 6334->6336 6338 2b4820d RegCloseKey 6335->6338 6340 2b4ec2e codecvt 4 API calls 6335->6340 6336->6335 6341 2b4ebcc 4 API calls 6336->6341 6337->6328 6339 2b4ec2e codecvt 4 API calls 6337->6339 6338->6333 6339->6328 6346 2b481dd 6340->6346 6342 2b481a0 6341->6342 6342->6338 6343 2b481aa RegQueryValueExA 6342->6343 6343->6335 6344 2b481c4 6343->6344 6345 2b4ebcc 4 API calls 6344->6345 6345->6346 6346->6338 6943 2b4ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6347->6943 6349 2b45e71 6944 2b4e654 6349->6944 6351 2b45ec1 6352 2b43132 6351->6352 6353 2b4df70 12 API calls 6352->6353 6354 2b4313b 6353->6354 6355 2b4c125 6354->6355 6955 2b4ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6355->6955 6357 2b4c12d 6358 2b4e654 13 API calls 6357->6358 6359 2b4c2bd 6358->6359 6360 2b4e654 13 API calls 6359->6360 6361 2b4c2c9 6360->6361 6362 2b4e654 13 API calls 6361->6362 6363 2b4a47a 6362->6363 6364 2b48db1 6363->6364 6365 2b48dbc 6364->6365 6366 2b4e654 13 API calls 6365->6366 6367 2b48dec Sleep 6366->6367 6367->6185 6369 2b4c92f 6368->6369 6371 2b4c93c 6369->6371 6967 2b4c517 6369->6967 6372 2b4ca2b 6371->6372 6373 2b4e819 11 API calls 6371->6373 6372->6185 6374 2b4c96a 6373->6374 6375 2b4e819 11 API calls 6374->6375 6376 2b4c97d 6375->6376 6377 2b4e819 11 API calls 6376->6377 6378 2b4c990 6377->6378 6379 2b4c9aa 6378->6379 6380 2b4ebcc 4 API calls 6378->6380 6379->6372 6956 2b42684 6379->6956 6380->6379 6385 2b4ca26 6984 2b4c8aa 6385->6984 6388 2b4ca44 6389 2b4ca4b closesocket 6388->6389 6390 2b4ca83 6388->6390 6389->6385 6391 2b4ea84 30 API calls 6390->6391 6392 2b4caac 6391->6392 6393 2b4f04e 4 API calls 6392->6393 6394 2b4cab2 6393->6394 6395 2b4ea84 30 API calls 6394->6395 6396 2b4caca 6395->6396 6397 2b4ea84 30 API calls 6396->6397 6398 2b4cad9 6397->6398 6988 2b4c65c 6398->6988 6401 2b4cb60 closesocket 6401->6372 6403 2b4dad2 closesocket 6404 2b4e318 23 API calls 6403->6404 6405 2b4dae0 6404->6405 6405->6372 6406 2b4df4c 20 API calls 6410 2b4cb70 6406->6410 6410->6403 6410->6406 6412 2b4e654 13 API calls 6410->6412 6418 2b4cc1c GetTempPathA 6410->6418 6419 2b4ea84 30 API calls 6410->6419 6420 2b4d569 closesocket Sleep 6410->6420 6421 2b4d815 wsprintfA 6410->6421 6422 2b4c517 23 API calls 6410->6422 6424 2b4f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6410->6424 6425 2b4e8a1 30 API calls 6410->6425 6427 2b4c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6410->6427 6428 2b4cfe3 GetSystemDirectoryA 6410->6428 6429 2b4675c 21 API calls 6410->6429 6430 2b4d027 GetSystemDirectoryA 6410->6430 6431 2b4cfad GetEnvironmentVariableA 6410->6431 6432 2b4d105 lstrcatA 6410->6432 6433 2b4ef1e lstrlenA 6410->6433 6434 2b4ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6410->6434 6435 2b4cc9f CreateFileA 6410->6435 6436 2b48e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6410->6436 6437 2b4d15b CreateFileA 6410->6437 6442 2b4d149 SetFileAttributesA 6410->6442 6444 2b4d36e GetEnvironmentVariableA 6410->6444 6445 2b4d1bf SetFileAttributesA 6410->6445 6447 2b47ead 6 API calls 6410->6447 6448 2b4d22d GetEnvironmentVariableA 6410->6448 6450 2b4d3af lstrcatA 6410->6450 6452 2b47fcf 64 API calls 6410->6452 6453 2b4d3f2 CreateFileA 6410->6453 6460 2b4d4b1 CreateProcessA 6410->6460 6461 2b4d3e0 SetFileAttributesA 6410->6461 6462 2b4d26e lstrcatA 6410->6462 6464 2b4d2b1 CreateFileA 6410->6464 6466 2b47ee6 64 API calls 6410->6466 6467 2b4d452 SetFileAttributesA 6410->6467 6468 2b4d29f SetFileAttributesA 6410->6468 6471 2b4d31d SetFileAttributesA 6410->6471 6996 2b4c75d 6410->6996 7008 2b47e2f 6410->7008 7030 2b47ead 6410->7030 7040 2b431d0 6410->7040 7057 2b43c09 6410->7057 7067 2b43a00 6410->7067 7071 2b4e7b4 6410->7071 7074 2b4c06c 6410->7074 7080 2b46f5f GetUserNameA 6410->7080 7091 2b4e854 6410->7091 7101 2b47dd6 6410->7101 6412->6410 6418->6410 6419->6410 7035 2b4e318 6420->7035 6421->6410 6422->6410 6424->6410 6425->6410 6426 2b4d582 ExitProcess 6427->6410 6428->6410 6429->6410 6430->6410 6431->6410 6432->6410 6433->6410 6434->6410 6435->6410 6438 2b4ccc6 WriteFile 6435->6438 6436->6410 6437->6410 6439 2b4d182 WriteFile CloseHandle 6437->6439 6440 2b4cdcc CloseHandle 6438->6440 6441 2b4cced CloseHandle 6438->6441 6439->6410 6440->6410 6446 2b4cd2f 6441->6446 6442->6437 6443 2b4cd16 wsprintfA 6443->6446 6444->6410 6445->6410 6446->6443 7017 2b47fcf 6446->7017 6447->6410 6448->6410 6450->6410 6450->6453 6452->6410 6453->6410 6456 2b4d415 WriteFile CloseHandle 6453->6456 6454 2b4cd81 WaitForSingleObject CloseHandle CloseHandle 6457 2b4f04e 4 API calls 6454->6457 6455 2b4cda5 6458 2b47ee6 64 API calls 6455->6458 6456->6410 6457->6455 6459 2b4cdbd DeleteFileA 6458->6459 6459->6410 6460->6410 6463 2b4d4e8 CloseHandle CloseHandle 6460->6463 6461->6453 6462->6410 6462->6464 6463->6410 6464->6410 6465 2b4d2d8 WriteFile CloseHandle 6464->6465 6465->6410 6466->6410 6467->6410 6468->6464 6471->6410 6473 2b46784 CreateFileA 6472->6473 6474 2b4677a SetFileAttributesA 6472->6474 6475 2b467a4 CreateFileA 6473->6475 6476 2b467b5 6473->6476 6474->6473 6475->6476 6477 2b467c5 6476->6477 6478 2b467ba SetFileAttributesA 6476->6478 6479 2b46977 6477->6479 6480 2b467cf GetFileSize 6477->6480 6478->6477 6479->6166 6500 2b46a60 CreateFileA 6479->6500 6481 2b467e5 6480->6481 6482 2b46965 6480->6482 6481->6482 6483 2b467ed ReadFile 6481->6483 6484 2b4696e FindCloseChangeNotification 6482->6484 6483->6482 6485 2b46811 SetFilePointer 6483->6485 6484->6479 6485->6482 6486 2b4682a ReadFile 6485->6486 6486->6482 6487 2b46848 SetFilePointer 6486->6487 6487->6482 6488 2b46867 6487->6488 6489 2b468d5 6488->6489 6490 2b46878 ReadFile 6488->6490 6489->6484 6492 2b4ebcc 4 API calls 6489->6492 6491 2b468d0 6490->6491 6494 2b46891 6490->6494 6491->6489 6493 2b468f8 6492->6493 6493->6482 6495 2b46900 SetFilePointer 6493->6495 6494->6490 6494->6491 6496 2b4690d ReadFile 6495->6496 6497 2b4695a 6495->6497 6496->6497 6498 2b46922 6496->6498 6499 2b4ec2e codecvt 4 API calls 6497->6499 6498->6484 6499->6482 6501 2b46b8c GetLastError 6500->6501 6502 2b46a8f GetDiskFreeSpaceA 6500->6502 6503 2b46b86 6501->6503 6504 2b46ac5 6502->6504 6512 2b46ad7 6502->6512 6503->6183 7186 2b4eb0e 6504->7186 6508 2b46b56 CloseHandle 6508->6503 6511 2b46b65 GetLastError CloseHandle 6508->6511 6509 2b46b36 GetLastError CloseHandle 6510 2b46b7f DeleteFileA 6509->6510 6510->6503 6511->6510 7190 2b46987 6512->7190 6514 2b496b9 6513->6514 6515 2b473ff 17 API calls 6514->6515 6516 2b496e2 6515->6516 6517 2b4704c 16 API calls 6516->6517 6518 2b496f7 6516->6518 6517->6518 6518->6161 6518->6162 6520 2b442a5 6519->6520 6521 2b4429d 6519->6521 7196 2b43ecd 6520->7196 6521->6165 6521->6180 6523 2b442b0 7200 2b44000 6523->7200 6525 2b443c1 CloseHandle 6525->6521 6526 2b442b6 6526->6521 6526->6525 7206 2b43f18 WriteFile 6526->7206 6531 2b443ba CloseHandle 6531->6525 6532 2b44318 6533 2b43f18 4 API calls 6532->6533 6534 2b44331 6533->6534 6535 2b43f18 4 API calls 6534->6535 6536 2b4434a 6535->6536 6537 2b4ebcc 4 API calls 6536->6537 6538 2b44350 6537->6538 6539 2b43f18 4 API calls 6538->6539 6540 2b44389 6539->6540 6541 2b4ec2e codecvt 4 API calls 6540->6541 6542 2b4438f 6541->6542 6543 2b43f8c 4 API calls 6542->6543 6544 2b4439f CloseHandle CloseHandle 6543->6544 6544->6521 6546 2b499eb 6545->6546 6547 2b49a2f lstrcatA 6546->6547 6548 2b4ee2a 6547->6548 6549 2b49a4b lstrcatA 6548->6549 6550 2b46a60 13 API calls 6549->6550 6551 2b49a60 6550->6551 6551->6190 6551->6208 6552 2b46dc2 6551->6552 6553 2b46dd7 6552->6553 6554 2b46e33 6552->6554 6555 2b46cc9 5 API calls 6553->6555 6554->6207 6556 2b46ddc 6555->6556 6556->6556 6557 2b46e02 GetVolumeInformationA 6556->6557 6558 2b46e24 6556->6558 6557->6558 6558->6554 6560 2b46cdc GetModuleHandleA GetProcAddress 6559->6560 6567 2b46d8b 6559->6567 6561 2b46d12 GetSystemDirectoryA 6560->6561 6562 2b46cfd 6560->6562 6563 2b46d27 GetWindowsDirectoryA 6561->6563 6564 2b46d1e 6561->6564 6562->6561 6562->6567 6565 2b46d42 6563->6565 6564->6563 6564->6567 6566 2b4ef1e lstrlenA 6565->6566 6566->6567 6567->6215 7214 2b41910 6568->7214 6571 2b4934a GetModuleHandleA GetModuleFileNameA 6573 2b4937f 6571->6573 6574 2b493d9 6573->6574 6575 2b493a4 6573->6575 6577 2b49401 wsprintfA 6574->6577 6576 2b493c3 wsprintfA 6575->6576 6579 2b49415 6576->6579 6577->6579 6578 2b494a0 6580 2b46edd 5 API calls 6578->6580 6579->6578 6582 2b46cc9 5 API calls 6579->6582 6581 2b494ac 6580->6581 6583 2b4962f 6581->6583 6584 2b494e8 RegOpenKeyExA 6581->6584 6588 2b49439 6582->6588 6590 2b49646 6583->6590 7229 2b41820 6583->7229 6586 2b49502 6584->6586 6587 2b494fb 6584->6587 6593 2b4951f RegQueryValueExA 6586->6593 6587->6583 6592 2b4958a 6587->6592 6591 2b4ef1e lstrlenA 6588->6591 6599 2b495d6 6590->6599 7235 2b491eb 6590->7235 6596 2b49462 6591->6596 6592->6590 6597 2b49593 6592->6597 6594 2b49530 6593->6594 6595 2b49539 6593->6595 6598 2b4956e RegCloseKey 6594->6598 6600 2b49556 RegQueryValueExA 6595->6600 6601 2b4947e wsprintfA 6596->6601 6597->6599 7216 2b4f0e4 6597->7216 6598->6587 6599->6225 6599->6226 6600->6594 6600->6598 6601->6578 6603 2b495bb 6603->6599 7223 2b418e0 6603->7223 6606 2b42544 6605->6606 6607 2b4972d RegOpenKeyExA 6606->6607 6608 2b49765 6607->6608 6609 2b49740 6607->6609 6608->6201 6610 2b4974f RegDeleteValueA RegCloseKey 6609->6610 6610->6608 6612 2b42554 lstrcatA 6611->6612 6613 2b4ee2a 6612->6613 6614 2b4a0ec lstrcatA 6613->6614 6614->6233 6616 2b4ec37 6615->6616 6617 2b4a15d 6615->6617 6618 2b4eba0 codecvt 2 API calls 6616->6618 6617->6165 6617->6166 6619 2b4ec3d GetProcessHeap RtlFreeHeap 6618->6619 6619->6617 6621 2b42544 6620->6621 6622 2b4919e wsprintfA 6621->6622 6623 2b491bb 6622->6623 7274 2b49064 GetTempPathA 6623->7274 6626 2b491d5 ShellExecuteA 6627 2b491e7 6626->6627 6627->6183 6629 2b46ed5 6628->6629 6630 2b46ecc 6628->6630 6629->6222 6631 2b46e36 2 API calls 6630->6631 6631->6629 6633 2b498f6 6632->6633 6634 2b44280 30 API calls 6633->6634 6635 2b49904 Sleep 6633->6635 6636 2b49915 6633->6636 6634->6633 6635->6633 6635->6636 6637 2b49947 6636->6637 7281 2b4977c 6636->7281 6637->6216 6640 2b4dd41 InterlockedExchange 6639->6640 6641 2b4dd20 GetCurrentThreadId 6640->6641 6642 2b4dd4a 6640->6642 6643 2b4dd53 GetCurrentThreadId 6641->6643 6644 2b4dd2e GetTickCount 6641->6644 6642->6643 6643->6252 6645 2b4dd4c 6644->6645 6646 2b4dd39 Sleep 6644->6646 6645->6643 6646->6640 6648 2b4dbf0 6647->6648 6680 2b4db67 GetEnvironmentVariableA 6648->6680 6650 2b4dc19 6651 2b4db67 3 API calls 6650->6651 6656 2b4dcda 6650->6656 6652 2b4dc5c 6651->6652 6653 2b4db67 3 API calls 6652->6653 6652->6656 6654 2b4dc9b 6653->6654 6655 2b4db67 3 API calls 6654->6655 6654->6656 6655->6656 6656->6254 6658 2b4e528 6657->6658 6659 2b4e3f4 6657->6659 6658->6265 6660 2b4e434 RegQueryValueExA 6659->6660 6661 2b4e51d RegCloseKey 6660->6661 6662 2b4e458 6660->6662 6661->6658 6663 2b4e46e RegQueryValueExA 6662->6663 6663->6662 6664 2b4e488 6663->6664 6664->6661 6665 2b4db2e 8 API calls 6664->6665 6666 2b4e499 6665->6666 6666->6661 6667 2b4e4b9 RegQueryValueExA 6666->6667 6668 2b4e4e8 6666->6668 6667->6666 6667->6668 6668->6661 6669 2b4e332 14 API calls 6668->6669 6670 2b4e513 6669->6670 6670->6661 6672 2b4db55 6671->6672 6673 2b4db3a 6671->6673 6672->6257 6672->6261 6684 2b4ebed 6673->6684 6702 2b4f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6675->6702 6677 2b4e3be 6677->6257 6678 2b4e342 6678->6677 6705 2b4de24 6678->6705 6681 2b4db89 lstrcpyA CreateFileA 6680->6681 6682 2b4dbca 6680->6682 6681->6650 6682->6650 6685 2b4ebf6 6684->6685 6686 2b4ec01 6684->6686 6693 2b4ebcc GetProcessHeap RtlAllocateHeap 6685->6693 6696 2b4eba0 6686->6696 6694 2b4eb74 2 API calls 6693->6694 6695 2b4ebe8 6694->6695 6695->6672 6697 2b4eba7 GetProcessHeap HeapSize 6696->6697 6698 2b4ebbf GetProcessHeap HeapReAlloc 6696->6698 6697->6698 6699 2b4eb74 6698->6699 6700 2b4eb93 6699->6700 6701 2b4eb7b GetProcessHeap HeapSize 6699->6701 6700->6672 6701->6700 6716 2b4eb41 6702->6716 6704 2b4f0b7 6704->6678 6706 2b4de3a 6705->6706 6709 2b4de4e 6706->6709 6725 2b4dd84 6706->6725 6709->6678 6710 2b4de76 6729 2b4ddcf 6710->6729 6711 2b4ebed 8 API calls 6714 2b4def6 6711->6714 6712 2b4de9e 6712->6709 6712->6711 6714->6709 6715 2b4ddcf lstrcmpA 6714->6715 6715->6709 6717 2b4eb4a 6716->6717 6720 2b4eb61 6716->6720 6721 2b4eae4 6717->6721 6719 2b4eb54 6719->6704 6719->6720 6720->6704 6722 2b4eb02 GetProcAddress 6721->6722 6723 2b4eaed LoadLibraryA 6721->6723 6722->6719 6723->6722 6724 2b4eb01 6723->6724 6724->6719 6726 2b4ddc5 6725->6726 6727 2b4dd96 6725->6727 6726->6710 6726->6712 6727->6726 6728 2b4ddad lstrcmpiA 6727->6728 6728->6726 6728->6727 6730 2b4de20 6729->6730 6731 2b4dddd 6729->6731 6730->6709 6731->6730 6732 2b4ddfa lstrcmpA 6731->6732 6732->6731 6734 2b4dd05 6 API calls 6733->6734 6735 2b4e821 6734->6735 6736 2b4dd84 lstrcmpiA 6735->6736 6737 2b4e82c 6736->6737 6738 2b4e844 6737->6738 6783 2b42480 6737->6783 6738->6281 6741 2b4ea98 6740->6741 6792 2b4e8a1 6741->6792 6743 2b41e84 6743->6290 6745 2b419d5 GetProcAddress GetProcAddress GetProcAddress 6744->6745 6746 2b419ce 6744->6746 6747 2b41a04 6745->6747 6748 2b41ab3 FreeLibrary 6745->6748 6746->6294 6747->6748 6749 2b41a14 GetBestInterface GetProcessHeap 6747->6749 6748->6746 6749->6746 6750 2b41a2e HeapAlloc 6749->6750 6750->6746 6751 2b41a42 GetAdaptersInfo 6750->6751 6752 2b41a62 6751->6752 6753 2b41a52 HeapReAlloc 6751->6753 6754 2b41aa1 FreeLibrary 6752->6754 6755 2b41a69 GetAdaptersInfo 6752->6755 6753->6752 6754->6746 6755->6754 6756 2b41a75 HeapFree 6755->6756 6756->6754 6820 2b41ac3 LoadLibraryA 6758->6820 6761 2b41bcf 6761->6305 6763 2b41ac3 13 API calls 6762->6763 6764 2b41c09 6763->6764 6765 2b41c0d GetComputerNameA 6764->6765 6766 2b41c5a 6764->6766 6767 2b41c45 GetVolumeInformationA 6765->6767 6768 2b41c1f 6765->6768 6766->6313 6767->6766 6768->6767 6769 2b41c41 6768->6769 6769->6766 6771 2b4ee2a 6770->6771 6772 2b430d0 gethostname gethostbyname 6771->6772 6773 2b41f82 6772->6773 6773->6318 6773->6320 6775 2b4dd05 6 API calls 6774->6775 6776 2b4df7c 6775->6776 6777 2b4dd84 lstrcmpiA 6776->6777 6782 2b4df89 6777->6782 6778 2b4dfc4 6778->6287 6779 2b4ddcf lstrcmpA 6779->6782 6780 2b4ec2e codecvt 4 API calls 6780->6782 6781 2b4dd84 lstrcmpiA 6781->6782 6782->6778 6782->6779 6782->6780 6782->6781 6786 2b42419 lstrlenA 6783->6786 6785 2b42491 6785->6738 6787 2b42474 6786->6787 6788 2b4243d lstrlenA 6786->6788 6787->6785 6789 2b42464 lstrlenA 6788->6789 6790 2b4244e lstrcmpiA 6788->6790 6789->6787 6789->6788 6790->6789 6791 2b4245c 6790->6791 6791->6787 6791->6789 6793 2b4dd05 6 API calls 6792->6793 6794 2b4e8b4 6793->6794 6795 2b4dd84 lstrcmpiA 6794->6795 6796 2b4e8c0 6795->6796 6797 2b4e90a 6796->6797 6798 2b4e8c8 lstrcpynA 6796->6798 6800 2b42419 4 API calls 6797->6800 6808 2b4ea27 6797->6808 6799 2b4e8f5 6798->6799 6813 2b4df4c 6799->6813 6801 2b4e926 lstrlenA lstrlenA 6800->6801 6803 2b4e94c lstrlenA 6801->6803 6804 2b4e96a 6801->6804 6803->6804 6807 2b4ebcc 4 API calls 6804->6807 6804->6808 6805 2b4e901 6806 2b4dd84 lstrcmpiA 6805->6806 6806->6797 6809 2b4e98f 6807->6809 6808->6743 6809->6808 6810 2b4df4c 20 API calls 6809->6810 6811 2b4ea1e 6810->6811 6812 2b4ec2e codecvt 4 API calls 6811->6812 6812->6808 6814 2b4dd05 6 API calls 6813->6814 6815 2b4df51 6814->6815 6816 2b4f04e 4 API calls 6815->6816 6817 2b4df58 6816->6817 6818 2b4de24 10 API calls 6817->6818 6819 2b4df63 6818->6819 6819->6805 6821 2b41ae2 GetProcAddress 6820->6821 6822 2b41b68 GetComputerNameA GetVolumeInformationA 6820->6822 6821->6822 6826 2b41af5 6821->6826 6822->6761 6823 2b41b1c GetAdaptersAddresses 6824 2b41b29 6823->6824 6823->6826 6824->6822 6827 2b4ec2e codecvt 4 API calls 6824->6827 6825 2b4ebed 8 API calls 6825->6826 6826->6823 6826->6824 6826->6825 6827->6822 6829 2b46ec3 2 API calls 6828->6829 6830 2b47ef4 6829->6830 6840 2b47fc9 6830->6840 6864 2b473ff 6830->6864 6832 2b47f16 6832->6840 6884 2b47809 GetUserNameA 6832->6884 6834 2b47f63 6834->6840 6908 2b4ef1e lstrlenA 6834->6908 6837 2b4ef1e lstrlenA 6838 2b47fb7 6837->6838 6910 2b47a95 RegOpenKeyExA 6838->6910 6840->6329 6842 2b47073 6841->6842 6843 2b470b9 RegOpenKeyExA 6842->6843 6844 2b470d0 6843->6844 6858 2b471b8 6843->6858 6845 2b46dc2 6 API calls 6844->6845 6848 2b470d5 6845->6848 6846 2b4719b RegEnumValueA 6847 2b471af RegCloseKey 6846->6847 6846->6848 6847->6858 6848->6846 6850 2b471d0 6848->6850 6941 2b4f1a5 lstrlenA 6848->6941 6851 2b47205 RegCloseKey 6850->6851 6852 2b47227 6850->6852 6851->6858 6853 2b4728e RegCloseKey 6852->6853 6854 2b472b8 ___ascii_stricmp 6852->6854 6853->6858 6855 2b472cd RegCloseKey 6854->6855 6856 2b472dd 6854->6856 6855->6858 6857 2b47311 RegCloseKey 6856->6857 6860 2b47335 6856->6860 6857->6858 6858->6330 6859 2b473d5 RegCloseKey 6861 2b473e4 6859->6861 6860->6859 6862 2b4737e GetFileAttributesExA 6860->6862 6863 2b47397 6860->6863 6862->6863 6863->6859 6865 2b4741b 6864->6865 6866 2b46dc2 6 API calls 6865->6866 6867 2b4743f 6866->6867 6868 2b47469 RegOpenKeyExA 6867->6868 6870 2b477f9 6868->6870 6873 2b47487 ___ascii_stricmp 6868->6873 6869 2b47703 RegEnumKeyA 6871 2b47714 RegCloseKey 6869->6871 6869->6873 6870->6832 6871->6870 6872 2b474d2 RegOpenKeyExA 6872->6873 6873->6869 6873->6872 6874 2b4772c 6873->6874 6875 2b47521 RegQueryValueExA 6873->6875 6878 2b476e4 RegCloseKey 6873->6878 6881 2b4f1a5 lstrlenA 6873->6881 6882 2b4777e GetFileAttributesExA 6873->6882 6883 2b47769 6873->6883 6876 2b47742 RegCloseKey 6874->6876 6877 2b4774b 6874->6877 6875->6873 6876->6877 6879 2b477ec RegCloseKey 6877->6879 6878->6873 6879->6870 6880 2b477e3 RegCloseKey 6880->6879 6881->6873 6882->6883 6883->6880 6885 2b4783d LookupAccountNameA 6884->6885 6886 2b47a8d 6884->6886 6885->6886 6887 2b47874 GetLengthSid GetFileSecurityA 6885->6887 6886->6834 6887->6886 6888 2b478a8 GetSecurityDescriptorOwner 6887->6888 6889 2b478c5 EqualSid 6888->6889 6890 2b4791d GetSecurityDescriptorDacl 6888->6890 6889->6890 6891 2b478dc LocalAlloc 6889->6891 6890->6886 6902 2b47941 6890->6902 6891->6890 6892 2b478ef InitializeSecurityDescriptor 6891->6892 6894 2b47916 LocalFree 6892->6894 6895 2b478fb SetSecurityDescriptorOwner 6892->6895 6893 2b4795b GetAce 6893->6902 6894->6890 6895->6894 6896 2b4790b SetFileSecurityA 6895->6896 6896->6894 6897 2b47980 EqualSid 6897->6902 6898 2b47a3d 6898->6886 6901 2b47a43 LocalAlloc 6898->6901 6899 2b479be EqualSid 6899->6902 6900 2b4799d DeleteAce 6900->6902 6901->6886 6903 2b47a56 InitializeSecurityDescriptor 6901->6903 6902->6886 6902->6893 6902->6897 6902->6898 6902->6899 6902->6900 6904 2b47a86 LocalFree 6903->6904 6905 2b47a62 SetSecurityDescriptorDacl 6903->6905 6904->6886 6905->6904 6906 2b47a73 SetFileSecurityA 6905->6906 6906->6904 6907 2b47a83 6906->6907 6907->6904 6909 2b47fa6 6908->6909 6909->6837 6911 2b47ac4 6910->6911 6912 2b47acb GetUserNameA 6910->6912 6911->6840 6913 2b47da7 RegCloseKey 6912->6913 6914 2b47aed LookupAccountNameA 6912->6914 6913->6911 6914->6913 6915 2b47b24 RegGetKeySecurity 6914->6915 6915->6913 6916 2b47b49 GetSecurityDescriptorOwner 6915->6916 6917 2b47b63 EqualSid 6916->6917 6918 2b47bb8 GetSecurityDescriptorDacl 6916->6918 6917->6918 6919 2b47b74 LocalAlloc 6917->6919 6920 2b47da6 6918->6920 6927 2b47bdc 6918->6927 6919->6918 6921 2b47b8a InitializeSecurityDescriptor 6919->6921 6920->6913 6922 2b47b96 SetSecurityDescriptorOwner 6921->6922 6923 2b47bb1 LocalFree 6921->6923 6922->6923 6925 2b47ba6 RegSetKeySecurity 6922->6925 6923->6918 6924 2b47bf8 GetAce 6924->6927 6925->6923 6926 2b47c1d EqualSid 6926->6927 6927->6920 6927->6924 6927->6926 6928 2b47cd9 6927->6928 6929 2b47c5f EqualSid 6927->6929 6930 2b47c3a DeleteAce 6927->6930 6928->6920 6931 2b47d5a LocalAlloc 6928->6931 6932 2b47cf2 RegOpenKeyExA 6928->6932 6929->6927 6930->6927 6931->6920 6933 2b47d70 InitializeSecurityDescriptor 6931->6933 6932->6931 6938 2b47d0f 6932->6938 6934 2b47d7c SetSecurityDescriptorDacl 6933->6934 6935 2b47d9f LocalFree 6933->6935 6934->6935 6936 2b47d8c RegSetKeySecurity 6934->6936 6935->6920 6936->6935 6937 2b47d9c 6936->6937 6937->6935 6939 2b47d43 RegSetValueExA 6938->6939 6939->6931 6940 2b47d54 6939->6940 6940->6931 6942 2b4f1c3 6941->6942 6942->6848 6943->6349 6945 2b4dd05 6 API calls 6944->6945 6948 2b4e65f 6945->6948 6946 2b4e6a5 6947 2b4ebcc 4 API calls 6946->6947 6951 2b4e6f5 6946->6951 6950 2b4e6b0 6947->6950 6948->6946 6949 2b4e68c lstrcmpA 6948->6949 6949->6948 6950->6951 6953 2b4e6b7 6950->6953 6954 2b4e6e0 lstrcpynA 6950->6954 6952 2b4e71d lstrcmpA 6951->6952 6951->6953 6952->6951 6953->6351 6954->6951 6955->6357 6957 2b42692 inet_addr 6956->6957 6958 2b4268e 6956->6958 6957->6958 6959 2b4269e gethostbyname 6957->6959 6960 2b4f428 6958->6960 6959->6958 7108 2b4f315 6960->7108 6963 2b4f43e 6964 2b4f473 recv 6963->6964 6965 2b4f47c 6964->6965 6966 2b4f458 6964->6966 6965->6388 6966->6964 6966->6965 6968 2b4c525 6967->6968 6969 2b4c532 6967->6969 6968->6969 6971 2b4ec2e codecvt 4 API calls 6968->6971 6970 2b4c548 6969->6970 7121 2b4e7ff 6969->7121 6973 2b4e7ff lstrcmpiA 6970->6973 6981 2b4c54f 6970->6981 6971->6969 6974 2b4c615 6973->6974 6975 2b4ebcc 4 API calls 6974->6975 6974->6981 6975->6981 6977 2b4c5d1 6979 2b4ebcc 4 API calls 6977->6979 6978 2b4e819 11 API calls 6980 2b4c5b7 6978->6980 6979->6981 6982 2b4f04e 4 API calls 6980->6982 6981->6371 6983 2b4c5bf 6982->6983 6983->6970 6983->6977 6985 2b4c8d2 6984->6985 6986 2b4c907 6985->6986 6987 2b4c517 23 API calls 6985->6987 6986->6372 6987->6986 6989 2b4c670 6988->6989 6990 2b4c67d 6988->6990 6991 2b4ebcc 4 API calls 6989->6991 6992 2b4ebcc 4 API calls 6990->6992 6993 2b4c699 6990->6993 6991->6990 6992->6993 6994 2b4c6f3 6993->6994 6995 2b4c73c send 6993->6995 6994->6401 6994->6410 6995->6994 6997 2b4c770 6996->6997 6998 2b4c77d 6996->6998 6999 2b4ebcc 4 API calls 6997->6999 7000 2b4c799 6998->7000 7001 2b4ebcc 4 API calls 6998->7001 6999->6998 7002 2b4c7b5 7000->7002 7003 2b4ebcc 4 API calls 7000->7003 7001->7000 7004 2b4f43e recv 7002->7004 7003->7002 7005 2b4c7cb 7004->7005 7006 2b4c7d3 7005->7006 7007 2b4f43e recv 7005->7007 7006->6410 7007->7006 7124 2b47db7 7008->7124 7011 2b47e96 7011->6410 7012 2b4f04e 4 API calls 7014 2b47e4c 7012->7014 7013 2b4f04e 4 API calls 7013->7011 7015 2b4f04e 4 API calls 7014->7015 7016 2b47e70 7014->7016 7015->7016 7016->7011 7016->7013 7018 2b46ec3 2 API calls 7017->7018 7019 2b47fdd 7018->7019 7020 2b480c2 CreateProcessA 7019->7020 7021 2b473ff 17 API calls 7019->7021 7020->6454 7020->6455 7022 2b47fff 7021->7022 7022->7020 7023 2b47809 21 API calls 7022->7023 7024 2b4804d 7023->7024 7024->7020 7025 2b4ef1e lstrlenA 7024->7025 7026 2b4809e 7025->7026 7027 2b4ef1e lstrlenA 7026->7027 7028 2b480af 7027->7028 7029 2b47a95 24 API calls 7028->7029 7029->7020 7031 2b47db7 2 API calls 7030->7031 7032 2b47eb8 7031->7032 7033 2b4f04e 4 API calls 7032->7033 7034 2b47ece DeleteFileA 7033->7034 7034->6410 7036 2b4dd05 6 API calls 7035->7036 7037 2b4e31d 7036->7037 7128 2b4e177 7037->7128 7039 2b4e326 7039->6426 7041 2b431f3 7040->7041 7051 2b431ec 7040->7051 7042 2b4ebcc 4 API calls 7041->7042 7056 2b431fc 7042->7056 7043 2b4344b 7044 2b4349d 7043->7044 7045 2b43459 7043->7045 7046 2b4ec2e codecvt 4 API calls 7044->7046 7047 2b4f04e 4 API calls 7045->7047 7046->7051 7048 2b4345f 7047->7048 7049 2b430fa 4 API calls 7048->7049 7049->7051 7050 2b4ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7050->7056 7051->6410 7052 2b4344d 7053 2b4ec2e codecvt 4 API calls 7052->7053 7053->7043 7055 2b43141 lstrcmpiA 7055->7056 7056->7043 7056->7050 7056->7051 7056->7052 7056->7055 7154 2b430fa GetTickCount 7056->7154 7058 2b430fa 4 API calls 7057->7058 7059 2b43c1a 7058->7059 7060 2b43ce6 7059->7060 7159 2b43a72 7059->7159 7060->6410 7063 2b43a72 9 API calls 7065 2b43c5e 7063->7065 7064 2b43a72 9 API calls 7064->7065 7065->7060 7065->7064 7066 2b4ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7065->7066 7066->7065 7068 2b43a10 7067->7068 7069 2b430fa 4 API calls 7068->7069 7070 2b43a1a 7069->7070 7070->6410 7072 2b4dd05 6 API calls 7071->7072 7073 2b4e7be 7072->7073 7073->6410 7075 2b4c07e wsprintfA 7074->7075 7079 2b4c105 7074->7079 7168 2b4bfce GetTickCount wsprintfA 7075->7168 7077 2b4c0ef 7169 2b4bfce GetTickCount wsprintfA 7077->7169 7079->6410 7081 2b47047 7080->7081 7082 2b46f88 LookupAccountNameA 7080->7082 7081->6410 7084 2b47025 7082->7084 7085 2b46fcb 7082->7085 7170 2b46edd 7084->7170 7088 2b46fdb ConvertSidToStringSidA 7085->7088 7088->7084 7089 2b46ff1 7088->7089 7090 2b47013 LocalFree 7089->7090 7090->7084 7092 2b4dd05 6 API calls 7091->7092 7093 2b4e85c 7092->7093 7094 2b4dd84 lstrcmpiA 7093->7094 7095 2b4e867 7094->7095 7096 2b4e885 lstrcpyA 7095->7096 7181 2b424a5 7095->7181 7184 2b4dd69 7096->7184 7102 2b47db7 2 API calls 7101->7102 7103 2b47de1 7102->7103 7104 2b4f04e 4 API calls 7103->7104 7107 2b47e16 7103->7107 7105 2b47df2 7104->7105 7106 2b4f04e 4 API calls 7105->7106 7105->7107 7106->7107 7107->6410 7109 2b4ca1d 7108->7109 7110 2b4f33b 7108->7110 7109->6385 7109->6963 7111 2b4f347 htons socket 7110->7111 7112 2b4f374 closesocket 7111->7112 7113 2b4f382 ioctlsocket 7111->7113 7112->7109 7114 2b4f39d 7113->7114 7115 2b4f3aa connect select 7113->7115 7116 2b4f39f closesocket 7114->7116 7115->7109 7117 2b4f3f2 __WSAFDIsSet 7115->7117 7116->7109 7117->7116 7118 2b4f403 ioctlsocket 7117->7118 7120 2b4f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7118->7120 7120->7109 7122 2b4dd84 lstrcmpiA 7121->7122 7123 2b4c58e 7122->7123 7123->6970 7123->6977 7123->6978 7125 2b47dc8 InterlockedExchange 7124->7125 7126 2b47dd4 7125->7126 7127 2b47dc0 Sleep 7125->7127 7126->7012 7126->7016 7127->7125 7129 2b4e184 7128->7129 7130 2b4e223 7129->7130 7142 2b4e2e4 7129->7142 7144 2b4dfe2 7129->7144 7132 2b4dfe2 8 API calls 7130->7132 7130->7142 7136 2b4e23c 7132->7136 7133 2b4e1be 7133->7130 7134 2b4dbcf 3 API calls 7133->7134 7137 2b4e1d6 7134->7137 7135 2b4e21a CloseHandle 7135->7130 7136->7142 7148 2b4e095 RegCreateKeyExA 7136->7148 7137->7130 7137->7135 7138 2b4e1f9 WriteFile 7137->7138 7138->7135 7140 2b4e213 7138->7140 7140->7135 7141 2b4e2a3 7141->7142 7143 2b4e095 4 API calls 7141->7143 7142->7039 7143->7142 7145 2b4dffc 7144->7145 7147 2b4e024 7144->7147 7146 2b4db2e 8 API calls 7145->7146 7145->7147 7146->7147 7147->7133 7149 2b4e172 7148->7149 7151 2b4e0c0 7148->7151 7149->7141 7150 2b4e13d 7152 2b4e14e RegDeleteValueA RegCloseKey 7150->7152 7151->7150 7153 2b4e115 RegSetValueExA 7151->7153 7152->7149 7153->7150 7153->7151 7155 2b43122 InterlockedExchange 7154->7155 7156 2b4312e 7155->7156 7157 2b4310f GetTickCount 7155->7157 7156->7056 7157->7156 7158 2b4311a Sleep 7157->7158 7158->7155 7160 2b4f04e 4 API calls 7159->7160 7167 2b43a83 7160->7167 7161 2b43ac1 7161->7060 7161->7063 7162 2b43be6 7165 2b4ec2e codecvt 4 API calls 7162->7165 7163 2b4ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7164 2b43bc0 7163->7164 7164->7162 7164->7163 7165->7161 7166 2b43b66 lstrlenA 7166->7161 7166->7167 7167->7161 7167->7164 7167->7166 7168->7077 7169->7079 7171 2b46eef AllocateAndInitializeSid 7170->7171 7177 2b46f55 wsprintfA 7170->7177 7172 2b46f1c CheckTokenMembership 7171->7172 7175 2b46f44 7171->7175 7173 2b46f2e 7172->7173 7174 2b46f3b FreeSid 7172->7174 7173->7174 7174->7175 7175->7177 7178 2b46e36 GetUserNameW 7175->7178 7177->7081 7179 2b46e97 7178->7179 7180 2b46e5f LookupAccountNameW 7178->7180 7179->7177 7180->7179 7182 2b42419 4 API calls 7181->7182 7183 2b424b6 7182->7183 7183->7096 7185 2b4dd79 lstrlenA 7184->7185 7185->6410 7187 2b4eb17 7186->7187 7188 2b4eb21 7186->7188 7189 2b4eae4 2 API calls 7187->7189 7188->6512 7189->7188 7192 2b469b9 WriteFile 7190->7192 7193 2b46a3c 7192->7193 7194 2b469ff 7192->7194 7193->6508 7193->6509 7194->7193 7195 2b46a10 WriteFile 7194->7195 7195->7193 7195->7194 7197 2b43edc 7196->7197 7199 2b43ee2 7196->7199 7198 2b46dc2 6 API calls 7197->7198 7198->7199 7199->6523 7201 2b4400b CreateFileA 7200->7201 7202 2b4402c GetLastError 7201->7202 7204 2b44052 7201->7204 7203 2b44037 7202->7203 7202->7204 7203->7204 7205 2b44041 Sleep 7203->7205 7204->6526 7205->7201 7205->7204 7207 2b43f7c 7206->7207 7208 2b43f4e GetLastError 7206->7208 7210 2b43f8c ReadFile 7207->7210 7208->7207 7209 2b43f5b WaitForSingleObject GetOverlappedResult 7208->7209 7209->7207 7211 2b43fc2 GetLastError 7210->7211 7213 2b43ff0 7210->7213 7212 2b43fcf WaitForSingleObject GetOverlappedResult 7211->7212 7211->7213 7212->7213 7213->6531 7213->6532 7215 2b41924 GetVersionExA 7214->7215 7215->6571 7217 2b4f0f1 7216->7217 7218 2b4f0ed 7216->7218 7219 2b4f119 7217->7219 7220 2b4f0fa lstrlenA SysAllocStringByteLen 7217->7220 7218->6603 7222 2b4f11c MultiByteToWideChar 7219->7222 7221 2b4f117 7220->7221 7220->7222 7221->6603 7222->7221 7224 2b41820 17 API calls 7223->7224 7225 2b418f2 7224->7225 7226 2b418f9 7225->7226 7240 2b41280 7225->7240 7226->6599 7228 2b41908 7228->6599 7253 2b41000 7229->7253 7231 2b41839 7232 2b41851 GetCurrentProcess 7231->7232 7233 2b4183d 7231->7233 7234 2b41864 7232->7234 7233->6590 7234->6590 7236 2b49308 7235->7236 7238 2b4920e 7235->7238 7236->6599 7237 2b492f1 Sleep 7237->7238 7238->7236 7238->7237 7239 2b492bf ShellExecuteA 7238->7239 7239->7236 7239->7238 7243 2b412e1 ShellExecuteExW 7240->7243 7242 2b416f9 GetLastError 7245 2b41699 7242->7245 7243->7242 7244 2b413a8 7243->7244 7244->7245 7246 2b41570 lstrlenW 7244->7246 7247 2b415be GetStartupInfoW 7244->7247 7248 2b415ff CreateProcessWithLogonW 7244->7248 7252 2b41668 CloseHandle 7244->7252 7245->7228 7246->7244 7247->7244 7249 2b416bf GetLastError 7248->7249 7250 2b4163f WaitForSingleObject 7248->7250 7249->7245 7250->7244 7251 2b41659 CloseHandle 7250->7251 7251->7244 7252->7244 7254 2b4100d LoadLibraryA 7253->7254 7269 2b41023 7253->7269 7255 2b41021 7254->7255 7254->7269 7255->7231 7256 2b410b5 GetProcAddress 7257 2b410d1 GetProcAddress 7256->7257 7258 2b4127b 7256->7258 7257->7258 7259 2b410f0 GetProcAddress 7257->7259 7258->7231 7259->7258 7260 2b41110 GetProcAddress 7259->7260 7260->7258 7261 2b41130 GetProcAddress 7260->7261 7261->7258 7262 2b4114f GetProcAddress 7261->7262 7262->7258 7263 2b4116f GetProcAddress 7262->7263 7263->7258 7264 2b4118f GetProcAddress 7263->7264 7264->7258 7265 2b411ae GetProcAddress 7264->7265 7265->7258 7266 2b411ce GetProcAddress 7265->7266 7266->7258 7267 2b411ee GetProcAddress 7266->7267 7267->7258 7268 2b41209 GetProcAddress 7267->7268 7268->7258 7270 2b41225 GetProcAddress 7268->7270 7269->7256 7273 2b410ae 7269->7273 7270->7258 7271 2b41241 GetProcAddress 7270->7271 7271->7258 7272 2b4125c GetProcAddress 7271->7272 7272->7258 7273->7231 7275 2b4908d 7274->7275 7276 2b490e2 wsprintfA 7275->7276 7277 2b4ee2a 7276->7277 7278 2b490fd CreateFileA 7277->7278 7279 2b4913f 7278->7279 7280 2b4911a lstrlenA WriteFile CloseHandle 7278->7280 7279->6626 7279->6627 7280->7279 7282 2b4ee2a 7281->7282 7283 2b49794 CreateProcessA 7282->7283 7284 2b497bb 7283->7284 7285 2b497c2 7283->7285 7284->6637 7286 2b497d4 GetThreadContext 7285->7286 7287 2b497f5 7286->7287 7288 2b49801 7286->7288 7289 2b497f6 TerminateProcess 7287->7289 7295 2b4637c 7288->7295 7289->7284 7291 2b49816 7291->7289 7292 2b4981e WriteProcessMemory 7291->7292 7292->7287 7293 2b4983b SetThreadContext 7292->7293 7293->7287 7294 2b49858 ResumeThread 7293->7294 7294->7284 7296 2b46386 7295->7296 7297 2b4638a GetModuleHandleA VirtualAlloc 7295->7297 7296->7291 7298 2b463f5 7297->7298 7299 2b463b6 7297->7299 7298->7291 7300 2b463be VirtualAllocEx 7299->7300 7300->7298 7301 2b463d6 7300->7301 7302 2b463df WriteProcessMemory 7301->7302 7302->7298 7304 2b4879f 7303->7304 7305 2b48791 7303->7305 7306 2b487bc 7304->7306 7308 2b4f04e 4 API calls 7304->7308 7307 2b4f04e 4 API calls 7305->7307 7309 2b4e819 11 API calls 7306->7309 7307->7304 7308->7306 7310 2b487d7 7309->7310 7323 2b48803 7310->7323 7458 2b426b2 gethostbyaddr 7310->7458 7313 2b487eb 7315 2b4e8a1 30 API calls 7313->7315 7313->7323 7315->7323 7318 2b4e819 11 API calls 7318->7323 7319 2b488a0 Sleep 7319->7323 7321 2b426b2 2 API calls 7321->7323 7322 2b4f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7322->7323 7323->7318 7323->7319 7323->7321 7323->7322 7324 2b4e8a1 30 API calls 7323->7324 7355 2b48cee 7323->7355 7363 2b4c4d6 7323->7363 7366 2b4c4e2 7323->7366 7369 2b42011 7323->7369 7404 2b48328 7323->7404 7324->7323 7326 2b44084 7325->7326 7327 2b4407d 7325->7327 7328 2b43ecd 6 API calls 7326->7328 7329 2b4408f 7328->7329 7330 2b44000 3 API calls 7329->7330 7331 2b44095 7330->7331 7332 2b44130 7331->7332 7333 2b440c0 7331->7333 7334 2b43ecd 6 API calls 7332->7334 7338 2b43f18 4 API calls 7333->7338 7335 2b44159 CreateNamedPipeA 7334->7335 7336 2b44167 Sleep 7335->7336 7337 2b44188 ConnectNamedPipe 7335->7337 7336->7332 7339 2b44176 CloseHandle 7336->7339 7341 2b44195 GetLastError 7337->7341 7350 2b441ab 7337->7350 7340 2b440da 7338->7340 7339->7337 7342 2b43f8c 4 API calls 7340->7342 7343 2b4425e DisconnectNamedPipe 7341->7343 7341->7350 7344 2b440ec 7342->7344 7343->7337 7345 2b44127 CloseHandle 7344->7345 7347 2b44101 7344->7347 7345->7332 7346 2b43f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7346->7350 7348 2b43f18 4 API calls 7347->7348 7349 2b4411c ExitProcess 7348->7349 7350->7337 7350->7343 7350->7346 7351 2b43f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7350->7351 7352 2b4426a CloseHandle CloseHandle 7350->7352 7351->7350 7353 2b4e318 23 API calls 7352->7353 7354 2b4427b 7353->7354 7354->7354 7356 2b48d02 GetTickCount 7355->7356 7357 2b48dae 7355->7357 7356->7357 7360 2b48d19 7356->7360 7357->7323 7358 2b48da1 GetTickCount 7358->7357 7360->7358 7362 2b48d89 7360->7362 7463 2b4a677 7360->7463 7466 2b4a688 7360->7466 7362->7358 7474 2b4c2dc 7363->7474 7367 2b4c2dc 142 API calls 7366->7367 7368 2b4c4ec 7367->7368 7368->7323 7370 2b4202e 7369->7370 7371 2b42020 7369->7371 7372 2b4204b 7370->7372 7374 2b4f04e 4 API calls 7370->7374 7373 2b4f04e 4 API calls 7371->7373 7375 2b4206e GetTickCount 7372->7375 7376 2b4f04e 4 API calls 7372->7376 7373->7370 7374->7372 7377 2b42090 7375->7377 7378 2b420db GetTickCount 7375->7378 7381 2b42068 7376->7381 7382 2b420d4 GetTickCount 7377->7382 7386 2b42684 2 API calls 7377->7386 7397 2b420ce 7377->7397 7814 2b41978 7377->7814 7379 2b420e7 7378->7379 7380 2b42132 GetTickCount GetTickCount 7378->7380 7384 2b4212b GetTickCount 7379->7384 7395 2b41978 15 API calls 7379->7395 7396 2b42125 7379->7396 7804 2b42ef8 7379->7804 7383 2b4f04e 4 API calls 7380->7383 7381->7375 7382->7378 7385 2b42159 7383->7385 7384->7380 7389 2b4e854 13 API calls 7385->7389 7401 2b421b4 7385->7401 7386->7377 7388 2b4f04e 4 API calls 7392 2b421d1 7388->7392 7390 2b4218e 7389->7390 7394 2b4e819 11 API calls 7390->7394 7393 2b421f2 7392->7393 7398 2b4ea84 30 API calls 7392->7398 7393->7323 7399 2b4219c 7394->7399 7395->7379 7396->7384 7397->7382 7400 2b421ec 7398->7400 7399->7401 7819 2b41c5f 7399->7819 7402 2b4f04e 4 API calls 7400->7402 7401->7388 7402->7393 7405 2b47dd6 6 API calls 7404->7405 7406 2b4833c 7405->7406 7407 2b46ec3 2 API calls 7406->7407 7414 2b48340 7406->7414 7408 2b4834f 7407->7408 7409 2b4835c 7408->7409 7416 2b4846b 7408->7416 7410 2b473ff 17 API calls 7409->7410 7411 2b48373 7410->7411 7411->7414 7438 2b483ea RegOpenKeyExA 7411->7438 7444 2b48450 7411->7444 7412 2b48626 GetTempPathA 7418 2b48638 7412->7418 7413 2b48671 7891 2b46ba7 IsBadCodePtr 7413->7891 7414->7323 7415 2b4675c 21 API calls 7419 2b485df 7415->7419 7420 2b484a7 RegOpenKeyExA 7416->7420 7416->7444 7418->7413 7419->7412 7419->7413 7427 2b48768 7419->7427 7422 2b484c0 RegQueryValueExA 7420->7422 7424 2b4852f 7420->7424 7421 2b486ad 7423 2b48762 7421->7423 7426 2b47e2f 6 API calls 7421->7426 7425 2b48521 RegCloseKey 7422->7425 7430 2b484dd 7422->7430 7423->7427 7428 2b48564 RegOpenKeyExA 7424->7428 7437 2b485a5 7424->7437 7425->7424 7441 2b486bb 7426->7441 7427->7414 7433 2b4ec2e codecvt 4 API calls 7427->7433 7429 2b48573 RegSetValueExA RegCloseKey 7428->7429 7428->7437 7429->7437 7430->7425 7431 2b4ebcc 4 API calls 7430->7431 7434 2b484f0 7431->7434 7432 2b4875b DeleteFileA 7432->7423 7433->7414 7434->7425 7436 2b484f8 RegQueryValueExA 7434->7436 7436->7425 7439 2b48515 7436->7439 7440 2b4ec2e codecvt 4 API calls 7437->7440 7437->7444 7442 2b483fd RegQueryValueExA 7438->7442 7438->7444 7443 2b4ec2e codecvt 4 API calls 7439->7443 7440->7444 7441->7432 7445 2b486e0 lstrcpyA lstrlenA 7441->7445 7446 2b4842d RegSetValueExA 7442->7446 7447 2b4841e 7442->7447 7449 2b4851d 7443->7449 7444->7415 7444->7419 7450 2b47fcf 64 API calls 7445->7450 7448 2b48447 RegCloseKey 7446->7448 7447->7446 7447->7448 7448->7444 7449->7425 7451 2b48719 CreateProcessA 7450->7451 7452 2b4873d CloseHandle CloseHandle 7451->7452 7453 2b4874f 7451->7453 7452->7427 7454 2b47ee6 64 API calls 7453->7454 7455 2b48754 7454->7455 7456 2b47ead 6 API calls 7455->7456 7457 2b4875a 7456->7457 7457->7432 7459 2b426cd 7458->7459 7460 2b426fb 7458->7460 7461 2b426e1 inet_ntoa 7459->7461 7462 2b426de 7459->7462 7460->7313 7461->7462 7462->7313 7469 2b4a63d 7463->7469 7465 2b4a685 7465->7360 7467 2b4a63d GetTickCount 7466->7467 7468 2b4a696 7467->7468 7468->7360 7470 2b4a645 7469->7470 7471 2b4a64d 7469->7471 7470->7465 7472 2b4a66e 7471->7472 7473 2b4a65e GetTickCount 7471->7473 7472->7465 7473->7472 7491 2b4a4c7 GetTickCount 7474->7491 7477 2b4c47a 7482 2b4c4d2 7477->7482 7483 2b4c4ab InterlockedIncrement CreateThread 7477->7483 7478 2b4c326 7480 2b4c337 7478->7480 7481 2b4c32b GetTickCount 7478->7481 7479 2b4c300 GetTickCount 7479->7480 7480->7477 7485 2b4c363 GetTickCount 7480->7485 7481->7480 7482->7323 7483->7482 7484 2b4c4cb CloseHandle 7483->7484 7496 2b4b535 7483->7496 7484->7482 7485->7477 7486 2b4c373 7485->7486 7487 2b4c378 GetTickCount 7486->7487 7488 2b4c37f 7486->7488 7487->7488 7489 2b4c43b GetTickCount 7488->7489 7490 2b4c45e 7489->7490 7490->7477 7492 2b4a4f7 InterlockedExchange 7491->7492 7493 2b4a4e4 GetTickCount 7492->7493 7494 2b4a500 7492->7494 7493->7494 7495 2b4a4ef Sleep 7493->7495 7494->7477 7494->7478 7494->7479 7495->7492 7497 2b4b566 7496->7497 7498 2b4ebcc 4 API calls 7497->7498 7499 2b4b587 7498->7499 7500 2b4ebcc 4 API calls 7499->7500 7546 2b4b590 7500->7546 7501 2b4bdcd InterlockedDecrement 7502 2b4bde2 7501->7502 7504 2b4ec2e codecvt 4 API calls 7502->7504 7505 2b4bdea 7504->7505 7507 2b4ec2e codecvt 4 API calls 7505->7507 7506 2b4bdb7 Sleep 7506->7546 7508 2b4bdf2 7507->7508 7510 2b4be05 7508->7510 7511 2b4ec2e codecvt 4 API calls 7508->7511 7509 2b4bdcc 7509->7501 7511->7510 7512 2b4ebed 8 API calls 7512->7546 7515 2b4b6b6 lstrlenA 7515->7546 7516 2b430b5 2 API calls 7516->7546 7517 2b4e819 11 API calls 7517->7546 7518 2b4b6ed lstrcpyA 7571 2b45ce1 7518->7571 7521 2b4b731 lstrlenA 7521->7546 7522 2b4b71f lstrcmpA 7522->7521 7522->7546 7523 2b4b772 GetTickCount 7523->7546 7524 2b4bd49 InterlockedIncrement 7665 2b4a628 7524->7665 7527 2b4b7ce InterlockedIncrement 7581 2b4acd7 7527->7581 7528 2b438f0 6 API calls 7528->7546 7529 2b4bc5b InterlockedIncrement 7529->7546 7532 2b4b912 GetTickCount 7532->7546 7533 2b4b932 GetTickCount 7536 2b4bc6d InterlockedIncrement 7533->7536 7533->7546 7534 2b4bcdc closesocket 7534->7546 7535 2b4b826 InterlockedIncrement 7535->7523 7536->7546 7537 2b45ce1 22 API calls 7537->7546 7540 2b4bba6 InterlockedIncrement 7540->7546 7542 2b4bc4c closesocket 7542->7546 7543 2b4a7c1 22 API calls 7543->7546 7546->7501 7546->7506 7546->7509 7546->7512 7546->7515 7546->7516 7546->7517 7546->7518 7546->7521 7546->7522 7546->7523 7546->7524 7546->7527 7546->7528 7546->7529 7546->7532 7546->7533 7546->7534 7546->7535 7546->7537 7546->7540 7546->7542 7546->7543 7547 2b4ba71 wsprintfA 7546->7547 7549 2b4ab81 lstrcpynA InterlockedIncrement 7546->7549 7550 2b4ef1e lstrlenA 7546->7550 7551 2b45ded 12 API calls 7546->7551 7552 2b4a688 GetTickCount 7546->7552 7553 2b43e10 7546->7553 7556 2b43e4f 7546->7556 7559 2b4384f 7546->7559 7579 2b4a7a3 inet_ntoa 7546->7579 7586 2b4abee 7546->7586 7598 2b41feb GetTickCount 7546->7598 7619 2b43cfb 7546->7619 7622 2b4b3c5 7546->7622 7653 2b4ab81 7546->7653 7599 2b4a7c1 7547->7599 7549->7546 7550->7546 7551->7546 7552->7546 7554 2b430fa 4 API calls 7553->7554 7555 2b43e1d 7554->7555 7555->7546 7557 2b430fa 4 API calls 7556->7557 7558 2b43e5c 7557->7558 7558->7546 7560 2b430fa 4 API calls 7559->7560 7562 2b43863 7560->7562 7561 2b438b2 7561->7546 7562->7561 7563 2b438b9 7562->7563 7564 2b43889 7562->7564 7674 2b435f9 7563->7674 7668 2b43718 7564->7668 7569 2b435f9 6 API calls 7569->7561 7570 2b43718 6 API calls 7570->7561 7572 2b45cf4 7571->7572 7573 2b45cec 7571->7573 7575 2b44bd1 4 API calls 7572->7575 7680 2b44bd1 GetTickCount 7573->7680 7576 2b45d02 7575->7576 7685 2b45472 7576->7685 7580 2b4a7b9 7579->7580 7580->7546 7582 2b4f315 14 API calls 7581->7582 7583 2b4aceb 7582->7583 7584 2b4acff 7583->7584 7585 2b4f315 14 API calls 7583->7585 7584->7546 7585->7584 7587 2b4abfb 7586->7587 7590 2b4ac65 7587->7590 7748 2b42f22 7587->7748 7589 2b4f315 14 API calls 7589->7590 7590->7589 7591 2b4ac6f 7590->7591 7592 2b4ac8a 7590->7592 7593 2b4ab81 2 API calls 7591->7593 7592->7546 7594 2b4ac81 7593->7594 7756 2b438f0 7594->7756 7595 2b42684 2 API calls 7597 2b4ac23 7595->7597 7597->7590 7597->7595 7598->7546 7600 2b4a87d lstrlenA send 7599->7600 7601 2b4a7df 7599->7601 7602 2b4a8bf 7600->7602 7603 2b4a899 7600->7603 7601->7600 7607 2b4a7fa wsprintfA 7601->7607 7608 2b4a80a 7601->7608 7612 2b4a8f2 7601->7612 7606 2b4a8c4 send 7602->7606 7602->7612 7605 2b4a8a5 wsprintfA 7603->7605 7618 2b4a89e 7603->7618 7604 2b4a978 recv 7611 2b4a982 7604->7611 7604->7612 7605->7618 7609 2b4a8d8 wsprintfA 7606->7609 7606->7612 7607->7608 7608->7600 7609->7618 7610 2b4a9b0 wsprintfA 7610->7618 7613 2b430b5 2 API calls 7611->7613 7611->7618 7612->7604 7612->7610 7612->7611 7614 2b4ab05 7613->7614 7615 2b4e819 11 API calls 7614->7615 7616 2b4ab17 7615->7616 7617 2b4a7a3 inet_ntoa 7616->7617 7617->7618 7618->7546 7620 2b430fa 4 API calls 7619->7620 7621 2b43d0b 7620->7621 7621->7546 7623 2b45ce1 22 API calls 7622->7623 7624 2b4b3e6 7623->7624 7625 2b45ce1 22 API calls 7624->7625 7627 2b4b404 7625->7627 7626 2b4b440 7629 2b4ef7c 3 API calls 7626->7629 7627->7626 7628 2b4ef7c 3 API calls 7627->7628 7630 2b4b42b 7628->7630 7631 2b4b458 wsprintfA 7629->7631 7632 2b4ef7c 3 API calls 7630->7632 7633 2b4ef7c 3 API calls 7631->7633 7632->7626 7634 2b4b480 7633->7634 7635 2b4ef7c 3 API calls 7634->7635 7636 2b4b493 7635->7636 7637 2b4ef7c 3 API calls 7636->7637 7638 2b4b4bb 7637->7638 7772 2b4ad89 GetLocalTime SystemTimeToFileTime 7638->7772 7642 2b4b4cc 7643 2b4ef7c 3 API calls 7642->7643 7644 2b4b4dd 7643->7644 7645 2b4b211 7 API calls 7644->7645 7646 2b4b4ec 7645->7646 7647 2b4ef7c 3 API calls 7646->7647 7648 2b4b4fd 7647->7648 7649 2b4b211 7 API calls 7648->7649 7650 2b4b509 7649->7650 7651 2b4ef7c 3 API calls 7650->7651 7652 2b4b51a 7651->7652 7652->7546 7654 2b4abe9 GetTickCount 7653->7654 7656 2b4ab8c 7653->7656 7658 2b4a51d 7654->7658 7655 2b4aba8 lstrcpynA 7655->7656 7656->7654 7656->7655 7657 2b4abe1 InterlockedIncrement 7656->7657 7657->7656 7659 2b4a4c7 4 API calls 7658->7659 7660 2b4a52c 7659->7660 7661 2b4a542 GetTickCount 7660->7661 7663 2b4a539 GetTickCount 7660->7663 7661->7663 7664 2b4a56c 7663->7664 7664->7546 7666 2b4a4c7 4 API calls 7665->7666 7667 2b4a633 7666->7667 7667->7546 7669 2b4f04e 4 API calls 7668->7669 7671 2b4372a 7669->7671 7670 2b43847 7670->7561 7670->7570 7671->7670 7672 2b437b3 GetCurrentThreadId 7671->7672 7672->7671 7673 2b437c8 GetCurrentThreadId 7672->7673 7673->7671 7675 2b4f04e 4 API calls 7674->7675 7679 2b4360c 7675->7679 7676 2b436f1 7676->7561 7676->7569 7677 2b436da GetCurrentThreadId 7677->7676 7678 2b436e5 GetCurrentThreadId 7677->7678 7678->7676 7679->7676 7679->7677 7681 2b44bff InterlockedExchange 7680->7681 7682 2b44bec GetTickCount 7681->7682 7683 2b44c08 7681->7683 7682->7683 7684 2b44bf7 Sleep 7682->7684 7683->7572 7684->7681 7704 2b44763 7685->7704 7687 2b45b58 7714 2b44699 7687->7714 7690 2b44763 lstrlenA 7691 2b45b6e 7690->7691 7735 2b44f9f 7691->7735 7693 2b45b79 7693->7546 7695 2b45549 lstrlenA 7696 2b4548a 7695->7696 7696->7687 7698 2b44ae6 8 API calls 7696->7698 7699 2b4558d lstrcpynA 7696->7699 7700 2b45a9f lstrcpyA 7696->7700 7701 2b45935 lstrcpynA 7696->7701 7702 2b45472 13 API calls 7696->7702 7703 2b458e7 lstrcpyA 7696->7703 7708 2b44ae6 7696->7708 7712 2b4ef7c lstrlenA lstrlenA lstrlenA 7696->7712 7698->7696 7699->7696 7700->7696 7701->7696 7702->7696 7703->7696 7706 2b4477a 7704->7706 7705 2b44859 7705->7696 7706->7705 7707 2b4480d lstrlenA 7706->7707 7707->7706 7709 2b44af3 7708->7709 7711 2b44b03 7708->7711 7710 2b4ebed 8 API calls 7709->7710 7710->7711 7711->7695 7713 2b4efb4 7712->7713 7713->7696 7740 2b445b3 7714->7740 7717 2b445b3 7 API calls 7718 2b446c6 7717->7718 7719 2b445b3 7 API calls 7718->7719 7720 2b446d8 7719->7720 7721 2b445b3 7 API calls 7720->7721 7722 2b446ea 7721->7722 7723 2b445b3 7 API calls 7722->7723 7724 2b446ff 7723->7724 7725 2b445b3 7 API calls 7724->7725 7726 2b44711 7725->7726 7727 2b445b3 7 API calls 7726->7727 7728 2b44723 7727->7728 7729 2b4ef7c 3 API calls 7728->7729 7730 2b44735 7729->7730 7731 2b4ef7c 3 API calls 7730->7731 7732 2b4474a 7731->7732 7733 2b4ef7c 3 API calls 7732->7733 7734 2b4475c 7733->7734 7734->7690 7736 2b44fac 7735->7736 7739 2b44fb0 7735->7739 7736->7693 7737 2b44ffd 7737->7693 7738 2b44fd5 IsBadCodePtr 7738->7739 7739->7737 7739->7738 7741 2b445c1 7740->7741 7742 2b445c8 7740->7742 7743 2b4ebcc 4 API calls 7741->7743 7744 2b4ebcc 4 API calls 7742->7744 7746 2b445e1 7742->7746 7743->7742 7744->7746 7745 2b44691 7745->7717 7746->7745 7747 2b4ef7c 3 API calls 7746->7747 7747->7746 7763 2b42d21 GetModuleHandleA 7748->7763 7751 2b42fcf GetProcessHeap HeapFree 7755 2b42f44 7751->7755 7752 2b42f4f 7754 2b42f6b GetProcessHeap HeapFree 7752->7754 7753 2b42f85 7753->7751 7753->7753 7754->7755 7755->7597 7757 2b43900 7756->7757 7758 2b43980 7756->7758 7759 2b430fa 4 API calls 7757->7759 7758->7592 7762 2b4390a 7759->7762 7760 2b4391b GetCurrentThreadId 7760->7762 7761 2b43939 GetCurrentThreadId 7761->7762 7762->7758 7762->7760 7762->7761 7764 2b42d46 LoadLibraryA 7763->7764 7765 2b42d5b GetProcAddress 7763->7765 7764->7765 7766 2b42d54 7764->7766 7765->7766 7767 2b42d6b DnsQuery_A 7765->7767 7766->7752 7766->7753 7766->7755 7767->7766 7768 2b42d7d 7767->7768 7768->7766 7769 2b42d97 GetProcessHeap HeapAlloc 7768->7769 7769->7766 7771 2b42dac 7769->7771 7770 2b42db5 lstrcpynA 7770->7771 7771->7768 7771->7770 7773 2b4adbf 7772->7773 7797 2b4ad08 gethostname 7773->7797 7776 2b430b5 2 API calls 7777 2b4add3 7776->7777 7778 2b4a7a3 inet_ntoa 7777->7778 7780 2b4ade4 7777->7780 7778->7780 7779 2b4ae85 wsprintfA 7781 2b4ef7c 3 API calls 7779->7781 7780->7779 7783 2b4ae36 wsprintfA wsprintfA 7780->7783 7782 2b4aebb 7781->7782 7784 2b4ef7c 3 API calls 7782->7784 7785 2b4ef7c 3 API calls 7783->7785 7786 2b4aed2 7784->7786 7785->7780 7787 2b4b211 7786->7787 7788 2b4b2af GetLocalTime 7787->7788 7789 2b4b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7787->7789 7790 2b4b2d2 7788->7790 7789->7790 7791 2b4b31c GetTimeZoneInformation 7790->7791 7792 2b4b2d9 SystemTimeToFileTime 7790->7792 7796 2b4b33a wsprintfA 7791->7796 7793 2b4b2ec 7792->7793 7794 2b4b312 FileTimeToSystemTime 7793->7794 7794->7791 7796->7642 7798 2b4ad71 7797->7798 7803 2b4ad26 lstrlenA 7797->7803 7800 2b4ad85 7798->7800 7801 2b4ad79 lstrcpyA 7798->7801 7800->7776 7801->7800 7802 2b4ad68 lstrlenA 7802->7798 7803->7798 7803->7802 7805 2b42d21 7 API calls 7804->7805 7806 2b42f01 7805->7806 7807 2b42f14 7806->7807 7808 2b42f06 7806->7808 7809 2b42684 2 API calls 7807->7809 7827 2b42df2 GetModuleHandleA 7808->7827 7811 2b42f1d 7809->7811 7811->7379 7813 2b42f1f 7813->7379 7815 2b4f428 14 API calls 7814->7815 7816 2b4198a 7815->7816 7817 2b41990 closesocket 7816->7817 7818 2b41998 7816->7818 7817->7818 7818->7377 7820 2b41c80 7819->7820 7821 2b41d1c 7820->7821 7822 2b41cc2 wsprintfA 7820->7822 7826 2b41d79 7820->7826 7821->7821 7824 2b41d47 wsprintfA 7821->7824 7823 2b42684 2 API calls 7822->7823 7823->7820 7825 2b42684 2 API calls 7824->7825 7825->7826 7826->7401 7828 2b42e10 LoadLibraryA 7827->7828 7829 2b42e0b 7827->7829 7830 2b42e17 7828->7830 7829->7828 7829->7830 7831 2b42ef1 7830->7831 7832 2b42e28 GetProcAddress 7830->7832 7831->7807 7831->7813 7832->7831 7833 2b42e3e GetProcessHeap HeapAlloc 7832->7833 7836 2b42e62 7833->7836 7834 2b42ede GetProcessHeap HeapFree 7834->7831 7835 2b42e7f htons inet_addr 7835->7836 7837 2b42ea5 gethostbyname 7835->7837 7836->7831 7836->7834 7836->7835 7836->7837 7839 2b42ceb 7836->7839 7837->7836 7841 2b42cf2 7839->7841 7842 2b42d1c 7841->7842 7843 2b42d0e Sleep 7841->7843 7844 2b42a62 GetProcessHeap HeapAlloc 7841->7844 7842->7836 7843->7841 7843->7842 7845 2b42a92 7844->7845 7846 2b42a99 socket 7844->7846 7845->7841 7847 2b42ab4 7846->7847 7848 2b42cd3 GetProcessHeap HeapFree 7846->7848 7847->7848 7862 2b42abd 7847->7862 7848->7845 7849 2b42adb htons 7864 2b426ff 7849->7864 7851 2b42b04 select 7851->7862 7852 2b42ca4 7853 2b42cb3 GetProcessHeap HeapFree closesocket 7852->7853 7853->7845 7854 2b42b3f recv 7854->7862 7855 2b42b66 htons 7855->7852 7855->7862 7856 2b42b87 htons 7856->7852 7856->7862 7859 2b42bf3 GetProcessHeap HeapAlloc 7859->7862 7860 2b42c17 htons 7879 2b42871 7860->7879 7862->7849 7862->7851 7862->7852 7862->7853 7862->7854 7862->7855 7862->7856 7862->7859 7862->7860 7863 2b42c4d GetProcessHeap HeapFree 7862->7863 7871 2b42923 7862->7871 7883 2b42904 7862->7883 7863->7862 7865 2b42717 7864->7865 7867 2b4271d 7864->7867 7866 2b4ebcc 4 API calls 7865->7866 7866->7867 7868 2b4272b GetTickCount htons 7867->7868 7869 2b427cc htons htons sendto 7868->7869 7870 2b4278a 7868->7870 7869->7862 7870->7869 7872 2b42944 7871->7872 7874 2b4293d 7871->7874 7887 2b42816 htons 7872->7887 7874->7862 7875 2b42871 htons 7876 2b42950 7875->7876 7876->7874 7876->7875 7877 2b429bd htons htons htons 7876->7877 7877->7874 7878 2b429f6 GetProcessHeap HeapAlloc 7877->7878 7878->7874 7878->7876 7880 2b428e3 7879->7880 7881 2b42889 7879->7881 7880->7862 7881->7880 7882 2b428c3 htons 7881->7882 7882->7880 7882->7881 7884 2b42921 7883->7884 7885 2b42908 7883->7885 7884->7862 7886 2b42909 GetProcessHeap HeapFree 7885->7886 7886->7884 7886->7886 7888 2b4286b 7887->7888 7889 2b42836 7887->7889 7888->7876 7889->7888 7890 2b4285c htons 7889->7890 7890->7888 7890->7889 7892 2b46bc0 7891->7892 7893 2b46bbc 7891->7893 7894 2b4ebcc 4 API calls 7892->7894 7904 2b46bd4 7892->7904 7893->7421 7895 2b46be4 7894->7895 7896 2b46c07 CreateFileA 7895->7896 7897 2b46bfc 7895->7897 7895->7904 7899 2b46c34 WriteFile 7896->7899 7900 2b46c2a 7896->7900 7898 2b4ec2e codecvt 4 API calls 7897->7898 7898->7904 7902 2b46c49 CloseHandle DeleteFileA 7899->7902 7903 2b46c5a CloseHandle 7899->7903 7901 2b4ec2e codecvt 4 API calls 7900->7901 7901->7904 7902->7900 7905 2b4ec2e codecvt 4 API calls 7903->7905 7904->7421 7905->7904 8015 2b48314 8016 2b4675c 21 API calls 8015->8016 8017 2b48324 8016->8017 8018 2b46511 wsprintfA IsBadReadPtr 8019 2b4674e 8018->8019 8020 2b4656a htonl htonl wsprintfA wsprintfA 8018->8020 8022 2b4e318 23 API calls 8019->8022 8021 2b465f3 8020->8021 8024 2b4668a GetCurrentProcess StackWalk64 8021->8024 8025 2b466a0 wsprintfA 8021->8025 8027 2b46652 wsprintfA 8021->8027 8023 2b46753 ExitProcess 8022->8023 8024->8021 8024->8025 8026 2b466ba 8025->8026 8028 2b46712 wsprintfA 8026->8028 8029 2b466ed wsprintfA 8026->8029 8030 2b466da wsprintfA 8026->8030 8027->8021 8031 2b4e8a1 30 API calls 8028->8031 8029->8026 8030->8029 8032 2b46739 8031->8032 8033 2b4e318 23 API calls 8032->8033 8034 2b46741 8033->8034 8125 2b48c51 8126 2b48c86 8125->8126 8127 2b48c5d 8125->8127 8128 2b48c8b lstrcmpA 8126->8128 8138 2b48c7b 8126->8138 8131 2b48c7d 8127->8131 8132 2b48c6e 8127->8132 8129 2b48c9e 8128->8129 8128->8138 8130 2b48cad 8129->8130 8133 2b4ec2e codecvt 4 API calls 8129->8133 8137 2b4ebcc 4 API calls 8130->8137 8130->8138 8147 2b48bb3 8131->8147 8139 2b48be7 8132->8139 8133->8130 8137->8138 8140 2b48bf2 8139->8140 8141 2b48c2a 8139->8141 8142 2b48bb3 6 API calls 8140->8142 8141->8138 8143 2b48bf8 8142->8143 8151 2b46410 8143->8151 8145 2b48c01 8145->8141 8166 2b46246 8145->8166 8148 2b48bbc 8147->8148 8150 2b48be4 8147->8150 8149 2b46246 6 API calls 8148->8149 8148->8150 8149->8150 8152 2b46421 8151->8152 8153 2b4641e 8151->8153 8154 2b4643a 8152->8154 8155 2b4643e VirtualAlloc 8152->8155 8153->8145 8154->8145 8156 2b46472 8155->8156 8157 2b4645b VirtualAlloc 8155->8157 8158 2b4ebcc 4 API calls 8156->8158 8157->8156 8165 2b464fb 8157->8165 8159 2b46479 8158->8159 8159->8165 8176 2b46069 8159->8176 8162 2b464da 8164 2b46246 6 API calls 8162->8164 8162->8165 8164->8165 8165->8145 8167 2b462b3 8166->8167 8171 2b46252 8166->8171 8167->8141 8168 2b46297 8169 2b462a0 VirtualFree 8168->8169 8170 2b462ad 8168->8170 8169->8170 8173 2b4ec2e codecvt 4 API calls 8170->8173 8171->8168 8172 2b4628f 8171->8172 8174 2b46281 FreeLibrary 8171->8174 8175 2b4ec2e codecvt 4 API calls 8172->8175 8173->8167 8174->8171 8175->8168 8177 2b46090 IsBadReadPtr 8176->8177 8179 2b46089 8176->8179 8177->8179 8182 2b460aa 8177->8182 8178 2b460c0 LoadLibraryA 8178->8179 8178->8182 8179->8162 8186 2b45f3f 8179->8186 8180 2b4ebcc 4 API calls 8180->8182 8181 2b4ebed 8 API calls 8181->8182 8182->8178 8182->8179 8182->8180 8182->8181 8183 2b46191 IsBadReadPtr 8182->8183 8184 2b46155 GetProcAddress 8182->8184 8185 2b46141 GetProcAddress 8182->8185 8183->8179 8183->8182 8184->8182 8185->8182 8187 2b45fe6 8186->8187 8189 2b45f61 8186->8189 8187->8162 8188 2b45fbf VirtualProtect 8188->8187 8188->8189 8189->8187 8189->8188 8035 2b44e92 GetTickCount 8036 2b44ec0 InterlockedExchange 8035->8036 8037 2b44ead GetTickCount 8036->8037 8038 2b44ec9 8036->8038 8037->8038 8039 2b44eb8 Sleep 8037->8039 8039->8036 8190 2b443d2 8191 2b443e0 8190->8191 8192 2b443ef 8191->8192 8193 2b41940 4 API calls 8191->8193 8193->8192 8040 2b45d93 IsBadWritePtr 8041 2b45ddc 8040->8041 8042 2b45da8 8040->8042 8042->8041 8043 2b45389 12 API calls 8042->8043 8043->8041 8194 2b44ed3 8199 2b44c9a 8194->8199 8200 2b44cd8 8199->8200 8201 2b44ca9 8199->8201 8202 2b4ec2e codecvt 4 API calls 8201->8202 8202->8200 8203 2b45453 8208 2b4543a 8203->8208 8211 2b45048 8208->8211 8212 2b44bd1 4 API calls 8211->8212 8215 2b45056 8212->8215 8213 2b4508b 8214 2b4ec2e codecvt 4 API calls 8214->8213 8215->8213 8215->8214 8044 2b45099 8045 2b44bd1 4 API calls 8044->8045 8046 2b450a2 8045->8046 8216 2b4195b 8217 2b41971 8216->8217 8218 2b4196b 8216->8218 8219 2b4ec2e codecvt 4 API calls 8218->8219 8219->8217 8047 2b45b84 IsBadWritePtr 8048 2b45b99 8047->8048 8049 2b45b9d 8047->8049 8050 2b44bd1 4 API calls 8049->8050 8051 2b45bcc 8050->8051 8052 2b45472 18 API calls 8051->8052 8053 2b45be5 8052->8053 8054 2b4f304 8057 2b4f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8054->8057 8056 2b4f312 8057->8056 8058 2b45c05 IsBadWritePtr 8059 2b45c24 IsBadWritePtr 8058->8059 8066 2b45ca6 8058->8066 8060 2b45c32 8059->8060 8059->8066 8061 2b45c82 8060->8061 8062 2b44bd1 4 API calls 8060->8062 8063 2b44bd1 4 API calls 8061->8063 8062->8061 8064 2b45c90 8063->8064 8065 2b45472 18 API calls 8064->8065 8065->8066 8067 2b4f483 WSAStartup 8068 2b45e0d 8069 2b450dc 17 API calls 8068->8069 8070 2b45e20 8069->8070 8071 2b44c0d 8072 2b44ae6 8 API calls 8071->8072 8073 2b44c17 8072->8073 8220 2b45e4d 8221 2b45048 8 API calls 8220->8221 8222 2b45e55 8221->8222 8223 2b45e64 8222->8223 8224 2b41940 4 API calls 8222->8224 8224->8223 8225 2b4e749 8226 2b4dd05 6 API calls 8225->8226 8227 2b4e751 8226->8227 8228 2b4e781 lstrcmpA 8227->8228 8229 2b4e799 8227->8229 8228->8227 8083 2b4448b 8084 2b44499 8083->8084 8085 2b444ab 8084->8085 8087 2b41940 8084->8087 8088 2b4ec2e codecvt 4 API calls 8087->8088 8089 2b41949 8088->8089 8089->8085

                                                                      Executed Functions

                                                                      Function 02B4C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • closesocket.WS2_32(?), ref: 02B4CA4E
                                                                      • closesocket.WS2_32(?), ref: 02B4CB63
                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 02B4CC28
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B4CCB4
                                                                      • WriteFile.KERNEL32(02B4A4B3,?,-000000E8,?,00000000), ref: 02B4CCDC
                                                                      • CloseHandle.KERNEL32(02B4A4B3), ref: 02B4CCED
                                                                      • wsprintfA.USER32 ref: 02B4CD21
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B4CD77
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02B4CD89
                                                                      • CloseHandle.KERNEL32(?), ref: 02B4CD98
                                                                      • CloseHandle.KERNEL32(?), ref: 02B4CD9D
                                                                      • DeleteFileA.KERNEL32(?), ref: 02B4CDC4
                                                                      • CloseHandle.KERNEL32(02B4A4B3), ref: 02B4CDCC
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B4CFB1
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02B4CFEF
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02B4D033
                                                                      • lstrcatA.KERNEL32(?,04300108), ref: 02B4D10C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 02B4D155
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02B4D171
                                                                      • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000), ref: 02B4D195
                                                                      • CloseHandle.KERNEL32(00000000), ref: 02B4D19C
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 02B4D1C8
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B4D231
                                                                      • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02B4D27C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02B4D2AB
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02B4D2C7
                                                                      • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02B4D2EB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02B4D2F2
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02B4D326
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02B4D372
                                                                      • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02B4D3BD
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02B4D3EC
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02B4D408
                                                                      • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02B4D428
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02B4D42F
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02B4D45B
                                                                      • CreateProcessA.KERNEL32(?,02B50264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02B4D4DE
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B4D4F4
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B4D4FC
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02B4D513
                                                                      • closesocket.WS2_32(?), ref: 02B4D56C
                                                                      • Sleep.KERNEL32(000003E8), ref: 02B4D577
                                                                      • ExitProcess.KERNEL32 ref: 02B4D583
                                                                      • wsprintfA.USER32 ref: 02B4D81F
                                                                        • Part of subcall function 02B4C65C: send.WS2_32(00000000,?,00000000), ref: 02B4C74B
                                                                      • closesocket.WS2_32(?), ref: 02B4DAD5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                      • API String ID: 562065436-3621667711
                                                                      • Opcode ID: 422215d5e9b445ccea170446b1cc6589abf453908a2a0b245618dd5022f61b23
                                                                      • Instruction ID: 0878570aa57d913443d5c12239f785d8be38b312c7d5efca7d23595b6c6418c8
                                                                      • Opcode Fuzzy Hash: 422215d5e9b445ccea170446b1cc6589abf453908a2a0b245618dd5022f61b23
                                                                      • Instruction Fuzzy Hash: EFB2B471D41219ABEB11AFA4DCC4FEA7BB9EB08344F1408EAFA45AB140DF309955EF50
                                                                      Function 02B49A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02B49A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02B49A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(02B46511), ref: 02B49A8A
                                                                        • Part of subcall function 02B4EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B4EC5E
                                                                        • Part of subcall function 02B4EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02B4EC72
                                                                        • Part of subcall function 02B4EC54: GetTickCount.KERNEL32 ref: 02B4EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02B49AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02B49ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 02B49AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 02B49B99
                                                                      • ExitProcess.KERNEL32 ref: 02B49C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 02B49CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 02B49D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 02B49D8B
                                                                      • lstrcatA.KERNEL32(?,02B5070C), ref: 02B49D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B49DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 02B49E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02B49E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02B49EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02B49ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02B49F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02B49F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02B49F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02B49FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B49FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B49FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 02B4A038
                                                                      • lstrcatA.KERNEL32(00000022,02B50A34), ref: 02B4A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 02B4A072
                                                                      • lstrcatA.KERNEL32(00000022,02B50A34), ref: 02B4A08D
                                                                      • wsprintfA.USER32 ref: 02B4A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 02B4A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 02B4A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02B4A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02B4A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02B4A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02B4A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 02B4A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 02B4A1E5
                                                                        • Part of subcall function 02B499D2: lstrcpyA.KERNEL32(?,?,00000100,02B522F8,00000000,?,02B49E9D,?,00000022,?,?,?,?,?,?,?), ref: 02B499DF
                                                                        • Part of subcall function 02B499D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02B49E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02B49A3C
                                                                        • Part of subcall function 02B499D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02B49E9D,?,00000022,?,?,?), ref: 02B49A52
                                                                      • lstrlenA.KERNEL32(?), ref: 02B4A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02B4A3B7
                                                                      • GetLastError.KERNEL32 ref: 02B4A3ED
                                                                      • Sleep.KERNELBASE(000003E8), ref: 02B4A400
                                                                      • DeleteFileA.KERNELBASE(02B533D8), ref: 02B4A407
                                                                      • CreateThread.KERNELBASE(00000000,00000000,02B4405E,00000000,00000000,00000000), ref: 02B4A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 02B4A43A
                                                                      • CreateThread.KERNELBASE(00000000,00000000,02B4877E,00000000,00000000,00000000), ref: 02B4A469
                                                                      • Sleep.KERNELBASE(00000BB8), ref: 02B4A48A
                                                                      • GetTickCount.KERNEL32 ref: 02B4A49F
                                                                      • GetTickCount.KERNEL32 ref: 02B4A4B7
                                                                      • Sleep.KERNELBASE(00001A90), ref: 02B4A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$D$P$\$hvjnshqw
                                                                      • API String ID: 2089075347-328042157
                                                                      • Opcode ID: c105976aeec4b8c14db6535d801f6a973561c3ab4a9dfa2d9d169958dc3c1095
                                                                      • Instruction ID: cd6a24e049f50b25a88e5b1c59d26042a73eafa198dd3d48c84c0e660e3dae30
                                                                      • Opcode Fuzzy Hash: c105976aeec4b8c14db6535d801f6a973561c3ab4a9dfa2d9d169958dc3c1095
                                                                      • Instruction Fuzzy Hash: 195252B1D80259ABEB11ABA08CC9FEF7BBDEB09304F1448E5F505A7141EF709A449F61
                                                                      Function 02B4199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 905 2b4199c-2b419cc inet_addr LoadLibraryA 906 2b419d5-2b419fe GetProcAddress * 3 905->906 907 2b419ce-2b419d0 905->907 909 2b41a04-2b41a06 906->909 910 2b41ab3-2b41ab6 FreeLibrary 906->910 908 2b41abf-2b41ac2 907->908 909->910 911 2b41a0c-2b41a0e 909->911 912 2b41abc 910->912 911->910 913 2b41a14-2b41a28 GetBestInterface GetProcessHeap 911->913 914 2b41abe 912->914 913->912 915 2b41a2e-2b41a40 HeapAlloc 913->915 914->908 915->912 916 2b41a42-2b41a50 GetAdaptersInfo 915->916 917 2b41a62-2b41a67 916->917 918 2b41a52-2b41a60 HeapReAlloc 916->918 919 2b41aa1-2b41aad FreeLibrary 917->919 920 2b41a69-2b41a73 GetAdaptersInfo 917->920 918->917 919->912 921 2b41aaf-2b41ab1 919->921 920->919 922 2b41a75 920->922 921->914 923 2b41a77-2b41a80 922->923 924 2b41a82-2b41a86 923->924 925 2b41a8a-2b41a91 923->925 924->923 926 2b41a88 924->926 927 2b41a96-2b41a9b HeapFree 925->927 928 2b41a93 925->928 926->927 927->919 928->927
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 02B419B1
                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02B41E9E), ref: 02B419BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02B419E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02B419ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02B419F9
                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02B41E9E), ref: 02B41A1B
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02B41E9E), ref: 02B41A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02B41E9E), ref: 02B41A36
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02B41E9E,?,?,?,?,00000001,02B41E9E), ref: 02B41A4A
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,02B41E9E,?,?,?,?,00000001,02B41E9E), ref: 02B41A5A
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02B41E9E,?,?,?,?,00000001,02B41E9E), ref: 02B41A6E
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02B41E9E), ref: 02B41A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02B41E9E), ref: 02B41AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 293628436-270533642
                                                                      • Opcode ID: 602728940618d11f355f5d5a102416bce9d0f098da8b2cc0599a41ffe1c94da1
                                                                      • Instruction ID: 8f459262db2830feb4d9cc886b6546fc3557bf513d21fabdddef0d05c598d27b
                                                                      • Opcode Fuzzy Hash: 602728940618d11f355f5d5a102416bce9d0f098da8b2cc0599a41ffe1c94da1
                                                                      • Instruction Fuzzy Hash: D231A631D10219AFDF11AFE8CCC89BEBBB5EF48745B1449BAF625A7110DB304980DB61
                                                                      Function 02B47A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 696 2b47a95-2b47ac2 RegOpenKeyExA 697 2b47ac4-2b47ac6 696->697 698 2b47acb-2b47ae7 GetUserNameA 696->698 699 2b47db4-2b47db6 697->699 700 2b47da7-2b47db3 RegCloseKey 698->700 701 2b47aed-2b47b1e LookupAccountNameA 698->701 700->699 701->700 702 2b47b24-2b47b43 RegGetKeySecurity 701->702 702->700 703 2b47b49-2b47b61 GetSecurityDescriptorOwner 702->703 704 2b47b63-2b47b72 EqualSid 703->704 705 2b47bb8-2b47bd6 GetSecurityDescriptorDacl 703->705 704->705 706 2b47b74-2b47b88 LocalAlloc 704->706 707 2b47da6 705->707 708 2b47bdc-2b47be1 705->708 706->705 709 2b47b8a-2b47b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 2b47be7-2b47bf2 708->710 711 2b47b96-2b47ba4 SetSecurityDescriptorOwner 709->711 712 2b47bb1-2b47bb2 LocalFree 709->712 710->707 713 2b47bf8-2b47c08 GetAce 710->713 711->712 714 2b47ba6-2b47bab RegSetKeySecurity 711->714 712->705 715 2b47cc6 713->715 716 2b47c0e-2b47c1b 713->716 714->712 719 2b47cc9-2b47cd3 715->719 717 2b47c1d-2b47c2f EqualSid 716->717 718 2b47c4f-2b47c52 716->718 721 2b47c36-2b47c38 717->721 722 2b47c31-2b47c34 717->722 723 2b47c54-2b47c5e 718->723 724 2b47c5f-2b47c71 EqualSid 718->724 719->713 720 2b47cd9-2b47cdc 719->720 720->707 725 2b47ce2-2b47ce8 720->725 721->718 726 2b47c3a-2b47c4d DeleteAce 721->726 722->717 722->721 723->724 727 2b47c86 724->727 728 2b47c73-2b47c84 724->728 729 2b47d5a-2b47d6e LocalAlloc 725->729 730 2b47cea-2b47cf0 725->730 726->719 731 2b47c8b-2b47c8e 727->731 728->731 729->707 735 2b47d70-2b47d7a InitializeSecurityDescriptor 729->735 730->729 732 2b47cf2-2b47d0d RegOpenKeyExA 730->732 733 2b47c90-2b47c96 731->733 734 2b47c9d-2b47c9f 731->734 732->729 736 2b47d0f-2b47d16 732->736 733->734 737 2b47ca7-2b47cc3 734->737 738 2b47ca1-2b47ca5 734->738 739 2b47d7c-2b47d8a SetSecurityDescriptorDacl 735->739 740 2b47d9f-2b47da0 LocalFree 735->740 741 2b47d19-2b47d1e 736->741 737->715 738->715 738->737 739->740 742 2b47d8c-2b47d9a RegSetKeySecurity 739->742 740->707 741->741 743 2b47d20-2b47d52 call 2b42544 RegSetValueExA 741->743 742->740 744 2b47d9c 742->744 743->729 747 2b47d54 743->747 744->740 747->729
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02B47ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02B47ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,02B5070C,?,?,?), ref: 02B47B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02B47B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02B47B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 02B47B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B47B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B47B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B47B9C
                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02B47BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 02B47BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,02B47FC9,?,00000000), ref: 02B47BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$D
                                                                      • API String ID: 2976863881-2993797894
                                                                      • Opcode ID: 70cf46c28d26d544394030d6600ff0dc125b3e0e2b10d6e0c98e560d0e70afb8
                                                                      • Instruction ID: a7bbe4043b30c736b0483aa0f2a0bdf67a6aad461655d0c4d0af6b2d1aa6c72f
                                                                      • Opcode Fuzzy Hash: 70cf46c28d26d544394030d6600ff0dc125b3e0e2b10d6e0c98e560d0e70afb8
                                                                      • Instruction Fuzzy Hash: 78A14CB1D40229AFDF119FA0CC88FEEBBB9FF08344F1444A9E905E6140DB359A55EB60
                                                                      Function 02B47809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 748 2b47809-2b47837 GetUserNameA 749 2b4783d-2b4786e LookupAccountNameA 748->749 750 2b47a8e-2b47a94 748->750 749->750 751 2b47874-2b478a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2b478a8-2b478c3 GetSecurityDescriptorOwner 751->752 753 2b478c5-2b478da EqualSid 752->753 754 2b4791d-2b4793b GetSecurityDescriptorDacl 752->754 753->754 757 2b478dc-2b478ed LocalAlloc 753->757 755 2b47941-2b47946 754->755 756 2b47a8d 754->756 755->756 758 2b4794c-2b47955 755->758 756->750 757->754 759 2b478ef-2b478f9 InitializeSecurityDescriptor 757->759 758->756 760 2b4795b-2b4796b GetAce 758->760 761 2b47916-2b47917 LocalFree 759->761 762 2b478fb-2b47909 SetSecurityDescriptorOwner 759->762 763 2b47971-2b4797e 760->763 764 2b47a2a 760->764 761->754 762->761 765 2b4790b-2b47910 SetFileSecurityA 762->765 766 2b47980-2b47992 EqualSid 763->766 767 2b479ae-2b479b1 763->767 768 2b47a2d-2b47a37 764->768 765->761 769 2b47994-2b47997 766->769 770 2b47999-2b4799b 766->770 772 2b479b3-2b479bd 767->772 773 2b479be-2b479d0 EqualSid 767->773 768->760 771 2b47a3d-2b47a41 768->771 769->766 769->770 770->767 774 2b4799d-2b479ac DeleteAce 770->774 771->756 775 2b47a43-2b47a54 LocalAlloc 771->775 772->773 776 2b479e5 773->776 777 2b479d2-2b479e3 773->777 774->768 775->756 778 2b47a56-2b47a60 InitializeSecurityDescriptor 775->778 779 2b479ea-2b479ed 776->779 777->779 782 2b47a86-2b47a87 LocalFree 778->782 783 2b47a62-2b47a71 SetSecurityDescriptorDacl 778->783 780 2b479ef-2b479f5 779->780 781 2b479f8-2b479fb 779->781 780->781 784 2b47a03-2b47a0e 781->784 785 2b479fd-2b47a01 781->785 782->756 783->782 786 2b47a73-2b47a81 SetFileSecurityA 783->786 787 2b47a10-2b47a17 784->787 788 2b47a19-2b47a24 784->788 785->764 785->784 786->782 789 2b47a83 786->789 790 2b47a27 787->790 788->790 789->782 790->764
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02B4782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02B47866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 02B47878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02B4789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,02B47F63,?), ref: 02B478B8
                                                                      • EqualSid.ADVAPI32(?,02B47F63), ref: 02B478D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B478E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B478F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02B47901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02B47910
                                                                      • LocalFree.KERNEL32(00000000), ref: 02B47917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02B47933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 02B47963
                                                                      • EqualSid.ADVAPI32(?,02B47F63), ref: 02B4798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 02B479A3
                                                                      • EqualSid.ADVAPI32(?,02B47F63), ref: 02B479C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02B47A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02B47A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02B47A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02B47A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 02B47A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: d282f1791c86e0965d710be602b06322070cf377085ba6c060aa3f3bc9d952f7
                                                                      • Instruction ID: 4a05408ab7d6821a16cc6d94bf15e0e0650ade0b3b567735374c6213b5ce36c6
                                                                      • Opcode Fuzzy Hash: d282f1791c86e0965d710be602b06322070cf377085ba6c060aa3f3bc9d952f7
                                                                      • Instruction Fuzzy Hash: 34813C71D0021EABDF21DFA4CD84FEEBBB8EF08344F1445AAE615E6140DB349651EB64
                                                                      Function 02B48328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 791 2b48328-2b4833e call 2b47dd6 794 2b48340-2b48343 791->794 795 2b48348-2b48356 call 2b46ec3 791->795 796 2b4877b-2b4877d 794->796 799 2b4835c-2b48378 call 2b473ff 795->799 800 2b4846b-2b48474 795->800 810 2b48464-2b48466 799->810 811 2b4837e-2b48384 799->811 802 2b485c2-2b485ce 800->802 803 2b4847a-2b48480 800->803 805 2b48615-2b48620 802->805 806 2b485d0-2b485da call 2b4675c 802->806 803->802 807 2b48486-2b484ba call 2b42544 RegOpenKeyExA 803->807 808 2b48626-2b4864c GetTempPathA call 2b48274 call 2b4eca5 805->808 809 2b486a7-2b486b0 call 2b46ba7 805->809 818 2b485df-2b485eb 806->818 824 2b484c0-2b484db RegQueryValueExA 807->824 825 2b48543-2b48571 call 2b42544 RegOpenKeyExA 807->825 845 2b48671-2b486a4 call 2b42544 call 2b4ef00 call 2b4ee2a 808->845 846 2b4864e-2b4866f call 2b4eca5 808->846 826 2b486b6-2b486bd call 2b47e2f 809->826 827 2b48762 809->827 817 2b48779-2b4877a 810->817 811->810 816 2b4838a-2b4838d 811->816 816->810 822 2b48393-2b48399 816->822 817->796 818->805 823 2b485ed-2b485ef 818->823 829 2b4839c-2b483a1 822->829 823->805 830 2b485f1-2b485fa 823->830 832 2b48521-2b4852d RegCloseKey 824->832 833 2b484dd-2b484e1 824->833 851 2b485a5-2b485b7 call 2b4ee2a 825->851 852 2b48573-2b4857b 825->852 856 2b486c3-2b4873b call 2b4ee2a * 2 lstrcpyA lstrlenA call 2b47fcf CreateProcessA 826->856 857 2b4875b-2b4875c DeleteFileA 826->857 835 2b48768-2b4876b 827->835 829->829 837 2b483a3-2b483af 829->837 830->805 839 2b485fc-2b4860f call 2b424c2 830->839 832->825 838 2b4852f-2b48541 call 2b4eed1 832->838 833->832 841 2b484e3-2b484e6 833->841 843 2b48776-2b48778 835->843 844 2b4876d-2b48775 call 2b4ec2e 835->844 847 2b483b1 837->847 848 2b483b3-2b483ba 837->848 838->825 838->851 839->805 839->835 841->832 853 2b484e8-2b484f6 call 2b4ebcc 841->853 843->817 844->843 845->809 846->845 847->848 862 2b48450-2b4845f call 2b4ee2a 848->862 863 2b483c0-2b483fb call 2b42544 RegOpenKeyExA 848->863 851->802 876 2b485b9-2b485c1 call 2b4ec2e 851->876 865 2b4857e-2b48583 852->865 853->832 875 2b484f8-2b48513 RegQueryValueExA 853->875 899 2b4873d-2b4874d CloseHandle * 2 856->899 900 2b4874f-2b4875a call 2b47ee6 call 2b47ead 856->900 857->827 862->802 863->862 885 2b483fd-2b4841c RegQueryValueExA 863->885 865->865 874 2b48585-2b4859f RegSetValueExA RegCloseKey 865->874 874->851 875->832 881 2b48515-2b4851e call 2b4ec2e 875->881 876->802 881->832 890 2b4842d-2b48441 RegSetValueExA 885->890 891 2b4841e-2b48421 885->891 892 2b48447-2b4844a RegCloseKey 890->892 891->890 896 2b48423-2b48426 891->896 892->862 896->890 897 2b48428-2b4842b 896->897 897->890 897->892 899->835 900->857
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02B50750,?,?,00000000,localcfg,00000000), ref: 02B483F3
                                                                      • RegQueryValueExA.KERNELBASE(02B50750,?,00000000,?,02B48893,?,?,?,00000000,00000103,02B50750,?,?,00000000,localcfg,00000000), ref: 02B48414
                                                                      • RegSetValueExA.KERNELBASE(02B50750,?,00000000,00000004,02B48893,00000004,?,?,00000000,00000103,02B50750,?,?,00000000,localcfg,00000000), ref: 02B48441
                                                                      • RegCloseKey.ADVAPI32(02B50750,?,?,00000000,00000103,02B50750,?,?,00000000,localcfg,00000000), ref: 02B4844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe$localcfg
                                                                      • API String ID: 237177642-1530340706
                                                                      • Opcode ID: 958b4bad9ec467169d8abdb61001f3b34c1b51612b218c54b28f6d6b137c57f0
                                                                      • Instruction ID: 328ffa08f4173ea906dc9d3aefcc2b35c5ca875f36cbca4a2cae2ac9b36947bd
                                                                      • Opcode Fuzzy Hash: 958b4bad9ec467169d8abdb61001f3b34c1b51612b218c54b28f6d6b137c57f0
                                                                      • Instruction Fuzzy Hash: 21C1A3B1D80258BEEB11ABA4DCC4FEE7BBDEB08344F1448A5F905A6041DF309A54EF21
                                                                      Function 02B41D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 02B41DC6
                                                                      • GetSystemInfo.KERNELBASE(?), ref: 02B41DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02B41E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02B41E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 02B41E1B
                                                                      • GetTickCount.KERNEL32 ref: 02B41FC9
                                                                        • Part of subcall function 02B41BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02B41C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: f3b94434b9e12f81b703693de42d749b8de825906322d4442902b5b53bcd73a9
                                                                      • Instruction ID: d2046aa55f77429c25b183e85cc1aa2aeea8070674127bb380b8c6740b24ab34
                                                                      • Opcode Fuzzy Hash: f3b94434b9e12f81b703693de42d749b8de825906322d4442902b5b53bcd73a9
                                                                      • Instruction Fuzzy Hash: D151B1B09043446FE720AF698CC5B27BBECFF48748F044D9DB99A86102DB74A944DB61
                                                                      Function 02B473FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 999 2b473ff-2b47419 1000 2b4741d-2b47422 999->1000 1001 2b4741b 999->1001 1002 2b47424 1000->1002 1003 2b47426-2b4742b 1000->1003 1001->1000 1002->1003 1004 2b47430-2b47435 1003->1004 1005 2b4742d 1003->1005 1006 2b47437 1004->1006 1007 2b4743a-2b47481 call 2b46dc2 call 2b42544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2b47487-2b4749d call 2b4ee2a 1007->1012 1013 2b477f9-2b477fe call 2b4ee2a 1007->1013 1018 2b47703-2b4770e RegEnumKeyA 1012->1018 1019 2b47801 1013->1019 1020 2b47714-2b4771d RegCloseKey 1018->1020 1021 2b474a2-2b474b1 call 2b46cad 1018->1021 1022 2b47804-2b47808 1019->1022 1020->1019 1025 2b474b7-2b474cc call 2b4f1a5 1021->1025 1026 2b476ed-2b47700 1021->1026 1025->1026 1029 2b474d2-2b474f8 RegOpenKeyExA 1025->1029 1026->1018 1030 2b47727-2b4772a 1029->1030 1031 2b474fe-2b47530 call 2b42544 RegQueryValueExA 1029->1031 1032 2b47755-2b47764 call 2b4ee2a 1030->1032 1033 2b4772c-2b47740 call 2b4ef00 1030->1033 1031->1030 1040 2b47536-2b4753c 1031->1040 1041 2b476df-2b476e2 1032->1041 1042 2b47742-2b47745 RegCloseKey 1033->1042 1043 2b4774b-2b4774e 1033->1043 1044 2b4753f-2b47544 1040->1044 1041->1026 1045 2b476e4-2b476e7 RegCloseKey 1041->1045 1042->1043 1047 2b477ec-2b477f7 RegCloseKey 1043->1047 1044->1044 1046 2b47546-2b4754b 1044->1046 1045->1026 1046->1032 1048 2b47551-2b4756b call 2b4ee95 1046->1048 1047->1022 1048->1032 1051 2b47571-2b47593 call 2b42544 call 2b4ee95 1048->1051 1056 2b47753 1051->1056 1057 2b47599-2b475a0 1051->1057 1056->1032 1058 2b475a2-2b475c6 call 2b4ef00 call 2b4ed03 1057->1058 1059 2b475c8-2b475d7 call 2b4ed03 1057->1059 1065 2b475d8-2b475da 1058->1065 1059->1065 1066 2b475dc 1065->1066 1067 2b475df-2b47623 call 2b4ee95 call 2b42544 call 2b4ee95 call 2b4ee2a 1065->1067 1066->1067 1077 2b47626-2b4762b 1067->1077 1077->1077 1078 2b4762d-2b47634 1077->1078 1079 2b47637-2b4763c 1078->1079 1079->1079 1080 2b4763e-2b47642 1079->1080 1081 2b47644-2b47656 call 2b4ed77 1080->1081 1082 2b4765c-2b47673 call 2b4ed23 1080->1082 1081->1082 1087 2b47769-2b4777c call 2b4ef00 1081->1087 1088 2b47675-2b4767e 1082->1088 1089 2b47680 1082->1089 1094 2b477e3-2b477e6 RegCloseKey 1087->1094 1091 2b47683-2b4768e call 2b46cad 1088->1091 1089->1091 1096 2b47694-2b476bf call 2b4f1a5 call 2b46c96 1091->1096 1097 2b47722-2b47725 1091->1097 1094->1047 1103 2b476c1-2b476c7 1096->1103 1104 2b476d8 1096->1104 1098 2b476dd 1097->1098 1098->1041 1103->1104 1105 2b476c9-2b476d2 1103->1105 1104->1098 1105->1104 1106 2b4777e-2b47797 GetFileAttributesExA 1105->1106 1107 2b47799 1106->1107 1108 2b4779a-2b4779f 1106->1108 1107->1108 1109 2b477a1 1108->1109 1110 2b477a3-2b477a8 1108->1110 1109->1110 1111 2b477c4-2b477c8 1110->1111 1112 2b477aa-2b477c0 call 2b4ee08 1110->1112 1114 2b477d7-2b477dc 1111->1114 1115 2b477ca-2b477d6 call 2b4ef00 1111->1115 1112->1111 1116 2b477e0-2b477e2 1114->1116 1117 2b477de 1114->1117 1115->1114 1116->1094 1117->1116
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,76230F10,00000000), ref: 02B47472
                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,76230F10,00000000), ref: 02B474F0
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,76230F10,00000000), ref: 02B47528
                                                                      • ___ascii_stricmp.LIBCMT ref: 02B4764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,76230F10,00000000), ref: 02B476E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02B47706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 02B47717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,76230F10,00000000), ref: 02B47745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,76230F10,00000000), ref: 02B477EF
                                                                        • Part of subcall function 02B4F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02B522F8,000000C8,02B47150,?), ref: 02B4F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B4778F
                                                                      • RegCloseKey.KERNELBASE(?), ref: 02B477E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 4237623234efde6de7c1450c94bef7f1ee0864f803a8d34f4e8c11de046b54e6
                                                                      • Instruction ID: 13a2b251379c2597173a45cbeaf668f8b4becdcddaef29ac4fbc703061a96318
                                                                      • Opcode Fuzzy Hash: 4237623234efde6de7c1450c94bef7f1ee0864f803a8d34f4e8c11de046b54e6
                                                                      • Instruction Fuzzy Hash: 4DC18072940219AFEB119BA4DC84FEEBBBAEF49314F1404D5E504EA190EF71DA44EF60
                                                                      Function 02B4675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1121 2b4675c-2b46778 1122 2b46784-2b467a2 CreateFileA 1121->1122 1123 2b4677a-2b4677e SetFileAttributesA 1121->1123 1124 2b467a4-2b467b2 CreateFileA 1122->1124 1125 2b467b5-2b467b8 1122->1125 1123->1122 1124->1125 1126 2b467c5-2b467c9 1125->1126 1127 2b467ba-2b467bf SetFileAttributesA 1125->1127 1128 2b46977-2b46986 1126->1128 1129 2b467cf-2b467df GetFileSize 1126->1129 1127->1126 1130 2b467e5-2b467e7 1129->1130 1131 2b4696b 1129->1131 1130->1131 1132 2b467ed-2b4680b ReadFile 1130->1132 1133 2b4696e-2b46971 FindCloseChangeNotification 1131->1133 1132->1131 1134 2b46811-2b46824 SetFilePointer 1132->1134 1133->1128 1134->1131 1135 2b4682a-2b46842 ReadFile 1134->1135 1135->1131 1136 2b46848-2b46861 SetFilePointer 1135->1136 1136->1131 1137 2b46867-2b46876 1136->1137 1138 2b468d5-2b468df 1137->1138 1139 2b46878-2b4688f ReadFile 1137->1139 1138->1133 1140 2b468e5-2b468eb 1138->1140 1141 2b46891-2b4689e 1139->1141 1142 2b468d2 1139->1142 1143 2b468f0-2b468fe call 2b4ebcc 1140->1143 1144 2b468ed 1140->1144 1145 2b468b7-2b468ba 1141->1145 1146 2b468a0-2b468b5 1141->1146 1142->1138 1143->1131 1152 2b46900-2b4690b SetFilePointer 1143->1152 1144->1143 1148 2b468bd-2b468c3 1145->1148 1146->1148 1150 2b468c5 1148->1150 1151 2b468c8-2b468ce 1148->1151 1150->1151 1151->1139 1153 2b468d0 1151->1153 1154 2b4690d-2b46920 ReadFile 1152->1154 1155 2b4695a-2b46969 call 2b4ec2e 1152->1155 1153->1138 1154->1155 1156 2b46922-2b46958 1154->1156 1155->1133 1156->1133
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 02B4677E
                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 02B4679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 02B467B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 02B467BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 02B467D3
                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,02B48244,00000000,?,76230F10,00000000), ref: 02B46807
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02B4681F
                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 02B4683E
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02B4685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,02B48244,00000000,?,76230F10,00000000), ref: 02B4688B
                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,76230F10,00000000), ref: 02B46906
                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,02B48244,00000000,?,76230F10,00000000), ref: 02B4691C
                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,76230F10,00000000), ref: 02B46971
                                                                        • Part of subcall function 02B4EC2E: GetProcessHeap.KERNEL32(00000000,02B4EA27,00000000,02B4EA27,00000000), ref: 02B4EC41
                                                                        • Part of subcall function 02B4EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02B4EC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                      • String ID:
                                                                      • API String ID: 1400801100-0
                                                                      • Opcode ID: 3a2a29440ef59338e2aabe8dbf96377f5384a942e1f9bbb8f3a7610adfd0ca0d
                                                                      • Instruction ID: 881d588990ba7387ff9470b8d482280fb80c97fc0ed56f0d79af4eeaec4b3eeb
                                                                      • Opcode Fuzzy Hash: 3a2a29440ef59338e2aabe8dbf96377f5384a942e1f9bbb8f3a7610adfd0ca0d
                                                                      • Instruction Fuzzy Hash: 94711A71C0021DEFDF159FA4CC80AEEBBB9FB09354F1045AAE915A6190EB709E51DF60
                                                                      Function 02B4F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1159 2b4f315-2b4f332 1160 2b4f334-2b4f336 1159->1160 1161 2b4f33b-2b4f372 call 2b4ee2a htons socket 1159->1161 1162 2b4f424-2b4f427 1160->1162 1165 2b4f374-2b4f37d closesocket 1161->1165 1166 2b4f382-2b4f39b ioctlsocket 1161->1166 1165->1162 1167 2b4f39d 1166->1167 1168 2b4f3aa-2b4f3f0 connect select 1166->1168 1169 2b4f39f-2b4f3a8 closesocket 1167->1169 1170 2b4f421 1168->1170 1171 2b4f3f2-2b4f401 __WSAFDIsSet 1168->1171 1172 2b4f423 1169->1172 1170->1172 1171->1169 1173 2b4f403-2b4f416 ioctlsocket call 2b4f26d 1171->1173 1172->1162 1175 2b4f41b-2b4f41f 1173->1175 1175->1172
                                                                      APIs
                                                                      • htons.WS2_32(02B4CA1D), ref: 02B4F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 02B4F367
                                                                      • closesocket.WS2_32(00000000), ref: 02B4F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 13075661d18220e2419dbf1d90ad3b41f135aeea6a7d4dd721f4f6b875a13605
                                                                      • Instruction ID: 0e6a6ca7770c430a1dd3efc41848cdaa4036fdd4728207023e1c73d054d3bb3a
                                                                      • Opcode Fuzzy Hash: 13075661d18220e2419dbf1d90ad3b41f135aeea6a7d4dd721f4f6b875a13605
                                                                      • Instruction Fuzzy Hash: AF317C72940229ABDB11EFA5DC84EFE7BBCFF88354F1045A6F915D3140EB309A419BA1
                                                                      Function 02B4405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1176 2b4405e-2b4407b CreateEventA 1177 2b44084-2b440a8 call 2b43ecd call 2b44000 1176->1177 1178 2b4407d-2b44081 1176->1178 1183 2b44130-2b4413e call 2b4ee2a 1177->1183 1184 2b440ae-2b440be call 2b4ee2a 1177->1184 1189 2b4413f-2b44165 call 2b43ecd CreateNamedPipeA 1183->1189 1184->1183 1190 2b440c0-2b440f1 call 2b4eca5 call 2b43f18 call 2b43f8c 1184->1190 1195 2b44167-2b44174 Sleep 1189->1195 1196 2b44188-2b44193 ConnectNamedPipe 1189->1196 1208 2b44127-2b4412a CloseHandle 1190->1208 1209 2b440f3-2b440ff 1190->1209 1195->1189 1198 2b44176-2b44182 CloseHandle 1195->1198 1200 2b44195-2b441a5 GetLastError 1196->1200 1201 2b441ab-2b441c0 call 2b43f8c 1196->1201 1198->1196 1200->1201 1203 2b4425e-2b44265 DisconnectNamedPipe 1200->1203 1201->1196 1207 2b441c2-2b441f2 call 2b43f18 call 2b43f8c 1201->1207 1203->1196 1207->1203 1217 2b441f4-2b44200 1207->1217 1208->1183 1209->1208 1211 2b44101-2b44121 call 2b43f18 ExitProcess 1209->1211 1217->1203 1218 2b44202-2b44215 call 2b43f8c 1217->1218 1218->1203 1221 2b44217-2b4421b 1218->1221 1221->1203 1222 2b4421d-2b44230 call 2b43f8c 1221->1222 1222->1203 1225 2b44232-2b44236 1222->1225 1225->1196 1226 2b4423c-2b44251 call 2b43f18 1225->1226 1229 2b44253-2b44259 1226->1229 1230 2b4426a-2b44276 CloseHandle * 2 call 2b4e318 1226->1230 1229->1196 1232 2b4427b 1230->1232 1232->1232
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02B44070
                                                                      • ExitProcess.KERNEL32 ref: 02B44121
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2404124870-0
                                                                      • Opcode ID: 8f974cec1afe8a3e76f9639031307bfdfc2d6018746e646bf1722f7aca49e3e2
                                                                      • Instruction ID: cc092eb57ea3f204d82a8a57b71716fe13bc8ddb138c3700c16e2970259ffcc1
                                                                      • Opcode Fuzzy Hash: 8f974cec1afe8a3e76f9639031307bfdfc2d6018746e646bf1722f7aca49e3e2
                                                                      • Instruction Fuzzy Hash: 8F5180B1D40219BAEF10ABA08CC5FBF7ABDEF15754F1405A5FA00B6180EB308A55EB61
                                                                      Function 02B42D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1233 2b42d21-2b42d44 GetModuleHandleA 1234 2b42d46-2b42d52 LoadLibraryA 1233->1234 1235 2b42d5b-2b42d69 GetProcAddress 1233->1235 1234->1235 1236 2b42d54-2b42d56 1234->1236 1235->1236 1237 2b42d6b-2b42d7b DnsQuery_A 1235->1237 1238 2b42dee-2b42df1 1236->1238 1237->1236 1239 2b42d7d-2b42d88 1237->1239 1240 2b42d8a-2b42d8b 1239->1240 1241 2b42deb 1239->1241 1242 2b42d90-2b42d95 1240->1242 1241->1238 1243 2b42d97-2b42daa GetProcessHeap HeapAlloc 1242->1243 1244 2b42de2-2b42de8 1242->1244 1245 2b42dea 1243->1245 1246 2b42dac-2b42dd9 call 2b4ee2a lstrcpynA 1243->1246 1244->1242 1244->1245 1245->1241 1249 2b42de0 1246->1249 1250 2b42ddb-2b42dde 1246->1250 1249->1244 1250->1244
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,02B42F01,?,02B420FF,02B52000), ref: 02B42D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 02B42D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02B42D61
                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02B42D77
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02B42D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 02B42DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02B42DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 233223969-3847274415
                                                                      • Opcode ID: 56565858223b6bc430b477d36da5f0c40bdbf179213f9464e5e9eb8f7732f06c
                                                                      • Instruction ID: 67f80598e68c5e8a03b22c62ce66262f09b92b8b108045ace1b1bebea96030e9
                                                                      • Opcode Fuzzy Hash: 56565858223b6bc430b477d36da5f0c40bdbf179213f9464e5e9eb8f7732f06c
                                                                      • Instruction Fuzzy Hash: 7C215171940625BBCB11AF64DC84BAEBBB9EF08B50F104892FD05E7100DB709985A7D0
                                                                      Function 02B480C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1251 2b480c9-2b480ed call 2b46ec3 1254 2b480ef call 2b47ee6 1251->1254 1255 2b480f9-2b48115 call 2b4704c 1251->1255 1258 2b480f4 1254->1258 1260 2b48225-2b4822b 1255->1260 1261 2b4811b-2b48121 1255->1261 1258->1260 1262 2b4826c-2b48273 1260->1262 1263 2b4822d-2b48233 1260->1263 1261->1260 1264 2b48127-2b4812a 1261->1264 1263->1262 1265 2b48235-2b4823f call 2b4675c 1263->1265 1264->1260 1266 2b48130-2b48167 call 2b42544 RegOpenKeyExA 1264->1266 1269 2b48244-2b4824b 1265->1269 1272 2b48216-2b48222 call 2b4ee2a 1266->1272 1273 2b4816d-2b4818b RegQueryValueExA 1266->1273 1269->1262 1271 2b4824d-2b48269 call 2b424c2 call 2b4ec2e 1269->1271 1271->1262 1272->1260 1276 2b481f7-2b481fe 1273->1276 1277 2b4818d-2b48191 1273->1277 1281 2b48200-2b48206 call 2b4ec2e 1276->1281 1282 2b4820d-2b48210 RegCloseKey 1276->1282 1277->1276 1278 2b48193-2b48196 1277->1278 1278->1276 1283 2b48198-2b481a8 call 2b4ebcc 1278->1283 1289 2b4820c 1281->1289 1282->1272 1283->1282 1291 2b481aa-2b481c2 RegQueryValueExA 1283->1291 1289->1282 1291->1276 1292 2b481c4-2b481ca 1291->1292 1293 2b481cd-2b481d2 1292->1293 1293->1293 1294 2b481d4-2b481e5 call 2b4ebcc 1293->1294 1294->1282 1297 2b481e7-2b481f5 call 2b4ef00 1294->1297 1297->1289
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02B4815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02B4A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02B48187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02B4A45F,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02B481BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,76230F10,00000000), ref: 02B48210
                                                                        • Part of subcall function 02B4675C: SetFileAttributesA.KERNEL32(?,00000080,?,76230F10,00000000), ref: 02B4677E
                                                                        • Part of subcall function 02B4675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,76230F10,00000000), ref: 02B4679A
                                                                        • Part of subcall function 02B4675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,76230F10,00000000), ref: 02B467B0
                                                                        • Part of subcall function 02B4675C: SetFileAttributesA.KERNEL32(?,00000002,?,76230F10,00000000), ref: 02B467BF
                                                                        • Part of subcall function 02B4675C: GetFileSize.KERNEL32(000000FF,00000000,?,76230F10,00000000), ref: 02B467D3
                                                                        • Part of subcall function 02B4675C: ReadFile.KERNELBASE(000000FF,?,00000040,02B48244,00000000,?,76230F10,00000000), ref: 02B46807
                                                                        • Part of subcall function 02B4675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02B4681F
                                                                        • Part of subcall function 02B4675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,76230F10,00000000), ref: 02B4683E
                                                                        • Part of subcall function 02B4675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,76230F10,00000000), ref: 02B4685C
                                                                        • Part of subcall function 02B4EC2E: GetProcessHeap.KERNEL32(00000000,02B4EA27,00000000,02B4EA27,00000000), ref: 02B4EC41
                                                                        • Part of subcall function 02B4EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02B4EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\hvjnshqw\xnjytljr.exe
                                                                      • API String ID: 124786226-3652848383
                                                                      • Opcode ID: 8153ce24506975403f99d58366551f4252beb6bc69e04db03333c3d463292174
                                                                      • Instruction ID: 42485b55b78f813b73a68c9757d6f9281b4a2c5f9535b733728f428eda458037
                                                                      • Opcode Fuzzy Hash: 8153ce24506975403f99d58366551f4252beb6bc69e04db03333c3d463292174
                                                                      • Instruction Fuzzy Hash: F04174B2D45219BFEB11EB949DC0EBE776DEB04344F1408E6ED41A7100EF705A54AB51
                                                                      Function 02B41AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1300 2b41ac3-2b41adc LoadLibraryA 1301 2b41ae2-2b41af3 GetProcAddress 1300->1301 1302 2b41b6b-2b41b70 1300->1302 1303 2b41af5-2b41b01 1301->1303 1304 2b41b6a 1301->1304 1305 2b41b1c-2b41b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2b41b03-2b41b12 call 2b4ebed 1305->1306 1307 2b41b29-2b41b2b 1305->1307 1306->1307 1315 2b41b14-2b41b1b 1306->1315 1309 2b41b2d-2b41b32 1307->1309 1310 2b41b5b-2b41b5e 1307->1310 1312 2b41b34-2b41b3b 1309->1312 1313 2b41b69 1309->1313 1310->1313 1314 2b41b60-2b41b68 call 2b4ec2e 1310->1314 1316 2b41b54-2b41b59 1312->1316 1317 2b41b3d-2b41b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1310 1316->1312 1317->1316 1317->1317
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B41AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B41AE9
                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B41B20
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 3646706440-1087626847
                                                                      • Opcode ID: 8b89f82fd7eafd8000db2df98caef8006d46962de8e56544c731812f190c3bbb
                                                                      • Instruction ID: bb0e520706da5814f674330ce3b38b2e98ce7d943ea8f7263fcbcdc6cc175cf2
                                                                      • Opcode Fuzzy Hash: 8b89f82fd7eafd8000db2df98caef8006d46962de8e56544c731812f190c3bbb
                                                                      • Instruction Fuzzy Hash: C111D671E11238BFDB119BACDCC49EDBBBAEB48B54B1444D5E009E7100EB304A80EB94
                                                                      Function 02B4E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1320 2b4e3ca-2b4e3ee RegOpenKeyExA 1321 2b4e3f4-2b4e3fb 1320->1321 1322 2b4e528-2b4e52d 1320->1322 1323 2b4e3fe-2b4e403 1321->1323 1323->1323 1324 2b4e405-2b4e40f 1323->1324 1325 2b4e414-2b4e452 call 2b4ee08 call 2b4f1ed RegQueryValueExA 1324->1325 1326 2b4e411-2b4e413 1324->1326 1331 2b4e51d-2b4e527 RegCloseKey 1325->1331 1332 2b4e458-2b4e486 call 2b4f1ed RegQueryValueExA 1325->1332 1326->1325 1331->1322 1335 2b4e488-2b4e48a 1332->1335 1335->1331 1336 2b4e490-2b4e4a1 call 2b4db2e 1335->1336 1336->1331 1339 2b4e4a3-2b4e4a6 1336->1339 1340 2b4e4a9-2b4e4d3 call 2b4f1ed RegQueryValueExA 1339->1340 1343 2b4e4d5-2b4e4da 1340->1343 1344 2b4e4e8-2b4e4ea 1340->1344 1343->1344 1345 2b4e4dc-2b4e4e6 1343->1345 1344->1331 1346 2b4e4ec-2b4e516 call 2b42544 call 2b4e332 1344->1346 1345->1340 1345->1344 1346->1331
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000001,02B4E5F2,00000000,00020119,02B4E5F2,02B522F8), ref: 02B4E3E6
                                                                      • RegQueryValueExA.ADVAPI32(02B4E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02B4E44E
                                                                      • RegQueryValueExA.ADVAPI32(02B4E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02B4E482
                                                                      • RegQueryValueExA.ADVAPI32(02B4E5F2,?,00000000,?,80000001,?), ref: 02B4E4CF
                                                                      • RegCloseKey.ADVAPI32(02B4E5F2,?,?,?,?,000000C8,000000E4), ref: 02B4E520
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID:
                                                                      • API String ID: 1586453840-0
                                                                      • Opcode ID: 885db2bb3ab5ccd5f02476ea60759e36d67b3d627856264cc673df1026eb848d
                                                                      • Instruction ID: 8b189aaf65ce903ddaf2610ba1043ea2082f1e7100a04166ee0a8d80322e56d8
                                                                      • Opcode Fuzzy Hash: 885db2bb3ab5ccd5f02476ea60759e36d67b3d627856264cc673df1026eb848d
                                                                      • Instruction Fuzzy Hash: 3641F8B2D0021DBFDF119FD4DC84EEEBBBAFB08344F5444A6E910A7150E7319A55AB60
                                                                      Function 02B4F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1351 2b4f26d-2b4f303 setsockopt * 5
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02B4F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02B4F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02B4F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02B4F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02B4F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 6e5ea33e37d125f67e9ba235ce936eb155fa7f81e4b43474c826f419f6b87170
                                                                      • Instruction ID: 747d4856238ed9a8df5a01639476d621a6e5ba189733e7a12673d6061f8c462c
                                                                      • Opcode Fuzzy Hash: 6e5ea33e37d125f67e9ba235ce936eb155fa7f81e4b43474c826f419f6b87170
                                                                      • Instruction Fuzzy Hash: F011FBB1A40248BAEB11DE94CD41F9E7FBCEB44751F004066BB04EA1D0E6B19A44CB94
                                                                      Function 02B41BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1352 2b41bdf-2b41c04 call 2b41ac3 1354 2b41c09-2b41c0b 1352->1354 1355 2b41c0d-2b41c1d GetComputerNameA 1354->1355 1356 2b41c5a-2b41c5e 1354->1356 1357 2b41c45-2b41c57 GetVolumeInformationA 1355->1357 1358 2b41c1f-2b41c24 1355->1358 1357->1356 1358->1357 1359 2b41c26-2b41c3b 1358->1359 1359->1359 1360 2b41c3d-2b41c3f 1359->1360 1360->1357 1361 2b41c41-2b41c43 1360->1361 1361->1356
                                                                      APIs
                                                                        • Part of subcall function 02B41AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B41AD4
                                                                        • Part of subcall function 02B41AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B41AE9
                                                                        • Part of subcall function 02B41AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B41B20
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02B41C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02B41C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2794401326-2393279970
                                                                      • Opcode ID: 78d706fff28ca4e9050d722504db30e4c14b1bedb6caf8219c09533a39ae5b09
                                                                      • Instruction ID: b28d89a3427ce476c16d787d6c8f33f21727c70d1003c9047a910fe858f2da88
                                                                      • Opcode Fuzzy Hash: 78d706fff28ca4e9050d722504db30e4c14b1bedb6caf8219c09533a39ae5b09
                                                                      • Instruction Fuzzy Hash: 6F018472D1412CBBEB50DAECCCC49EFBABCEB48655F1008B5D606E7101D6309E84A661
                                                                      Function 02B41B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B41AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02B41AD4
                                                                        • Part of subcall function 02B41AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02B41AE9
                                                                        • Part of subcall function 02B41AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02B41B20
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02B41BA3
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02B41EFD,00000000,00000000,00000000,00000000), ref: 02B41BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2794401326-1857712256
                                                                      • Opcode ID: 2a6266f8775f05df465111e681e54d17d9d44bd471f592032f035e261ba71d4f
                                                                      • Instruction ID: 26b458b1e61943883fdf5d28c3fa47ec3f9a628218c8b22477b2c187740b0597
                                                                      • Opcode Fuzzy Hash: 2a6266f8775f05df465111e681e54d17d9d44bd471f592032f035e261ba71d4f
                                                                      • Instruction Fuzzy Hash: F2018FB2D0011CBFE7009BE9C8809EFFABDEF48750F150462E615E7140D9705E044AA0
                                                                      Function 02B42684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(00000001), ref: 02B42693
                                                                      • gethostbyname.WS2_32(00000001), ref: 02B4269F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: a47cc4bd74119ba4a8fca0c128d7c276acf525de018cb820d970420ea75e67a9
                                                                      • Instruction ID: 55b1e93c5422b2e15b73651215ce9791d1a044b4af097e360bfcb5a393e5d3e1
                                                                      • Opcode Fuzzy Hash: a47cc4bd74119ba4a8fca0c128d7c276acf525de018cb820d970420ea75e67a9
                                                                      • Instruction Fuzzy Hash: 6BE08C306041218FCB10AA28F484B953BA4EF0A370F014980F880C7190DB309C80A680
                                                                      Function 02B4E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B4DD05: GetTickCount.KERNEL32 ref: 02B4DD0F
                                                                        • Part of subcall function 02B4DD05: InterlockedExchange.KERNEL32(02B536B4,00000001), ref: 02B4DD44
                                                                        • Part of subcall function 02B4DD05: GetCurrentThreadId.KERNEL32 ref: 02B4DD53
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,76230F10,?,00000000,?,02B4A445), ref: 02B4E558
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,76230F10,?,00000000,?,02B4A445), ref: 02B4E583
                                                                      • CloseHandle.KERNEL32(00000000,?,76230F10,?,00000000,?,02B4A445), ref: 02B4E5B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                      • String ID:
                                                                      • API String ID: 3683885500-0
                                                                      • Opcode ID: ee17d81f92a8120975b42e918c586be825c86a71137fd37282460a6f0f426f1e
                                                                      • Instruction ID: 213654f3f9dcfb3062aeb6f872628f0b3b13dbec2a9a5ac0ef6d6ddb9a5eaef8
                                                                      • Opcode Fuzzy Hash: ee17d81f92a8120975b42e918c586be825c86a71137fd37282460a6f0f426f1e
                                                                      • Instruction Fuzzy Hash: 6E216BB29803143AF2217A255CC6F5B3A4DEF55754F0409D8FE0EB91D3EE51D410AAB1
                                                                      Function 02B4877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000003E8), ref: 02B488A5
                                                                        • Part of subcall function 02B4F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02B4E342,00000000,75B4EA50,80000001,00000000,02B4E513,?,00000000,00000000,?,000000E4), ref: 02B4F089
                                                                        • Part of subcall function 02B4F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02B4E342,00000000,75B4EA50,80000001,00000000,02B4E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02B4F093
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem$Sleep
                                                                      • String ID: localcfg$rresolv
                                                                      • API String ID: 1561729337-486471987
                                                                      • Opcode ID: 2c5b792e051e90a905f136c5b038319207fab0b182d1e8c68d599223acd7acb5
                                                                      • Instruction ID: f0606cdd49dd34ee7bc00a384545aef3aa509a82bd2f242ab12f83a180d2a97f
                                                                      • Opcode Fuzzy Hash: 2c5b792e051e90a905f136c5b038319207fab0b182d1e8c68d599223acd7acb5
                                                                      • Instruction Fuzzy Hash: 64210A319893206AF314BB64BDC1F7A3BDAEB44750F540899FD049F1C0EFA1A540A9B2
                                                                      Function 02B44000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02B522F8,02B442B6,00000000,00000001,02B522F8,00000000,?,02B498FD), ref: 02B44021
                                                                      • GetLastError.KERNEL32(?,02B498FD,00000001,00000100,02B522F8,02B4A3C7), ref: 02B4402C
                                                                      • Sleep.KERNEL32(000001F4,?,02B498FD,00000001,00000100,02B522F8,02B4A3C7), ref: 02B44046
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID:
                                                                      • API String ID: 408151869-0
                                                                      • Opcode ID: ef02fb11798beb61333a9649155f588f640f014e7b1715f3068d918366007be3
                                                                      • Instruction ID: c1aab89b4e748ce9bfe5ad181b0bdec731a8171603988db2a3c99ebdbd64197c
                                                                      • Opcode Fuzzy Hash: ef02fb11798beb61333a9649155f588f640f014e7b1715f3068d918366007be3
                                                                      • Instruction Fuzzy Hash: 71F0A7326402156BD7319A34AC89B1A7271EF85734F294F64F3B5E61D0CB3064B1AB14
                                                                      Function 02B4DB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentVariableA.KERNEL32(02B4DC19,?,00000104), ref: 02B4DB7F
                                                                      • lstrcpyA.KERNEL32(?,02B528F8), ref: 02B4DBA4
                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02B4DBC2
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                      • String ID:
                                                                      • API String ID: 2536392590-0
                                                                      • Opcode ID: ec2cde16627a04c3effbbcfb7232a45c8f76e52c7eff6c594f0020303b84976c
                                                                      • Instruction ID: 130b24ce2dc6564a737f2eb7b5db35220b550a384afefa1316ccf1116022c1a4
                                                                      • Opcode Fuzzy Hash: ec2cde16627a04c3effbbcfb7232a45c8f76e52c7eff6c594f0020303b84976c
                                                                      • Instruction Fuzzy Hash: 4DF09070540349ABEF109F64DC89FD93B69AF14758F104994FB51A90D0D7F2D555CB10
                                                                      Function 02B4EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02B4EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02B4EC72
                                                                      • GetTickCount.KERNEL32 ref: 02B4EC78
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 69adf7f3b0cc55dd125731a758fb9fb86a95d8cb2b0228996521de13cdb0ae65
                                                                      • Instruction ID: f276617ed939013058a042d2ea0f09fecfdf5ef88ddb933c310ada9b081d9c04
                                                                      • Opcode Fuzzy Hash: 69adf7f3b0cc55dd125731a758fb9fb86a95d8cb2b0228996521de13cdb0ae65
                                                                      • Instruction Fuzzy Hash: B2E09AF5C50218BFE701ABB0DC4AE6B77FCEF08354F540E54B911DB180DA709A148BA0
                                                                      Function 02B430B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 02B430D8
                                                                      • gethostbyname.WS2_32(?), ref: 02B430E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynamegethostname
                                                                      • String ID:
                                                                      • API String ID: 3961807697-0
                                                                      • Opcode ID: b9a24ac93ed2737de4b53348235ee251928dd26647e16bf03043b97d736dd64c
                                                                      • Instruction ID: 9f4d0b7fc84398ac1108855290cab47c215da775212d53cdefa1aa8ed4d32f56
                                                                      • Opcode Fuzzy Hash: b9a24ac93ed2737de4b53348235ee251928dd26647e16bf03043b97d736dd64c
                                                                      • Instruction Fuzzy Hash: 30E06571D402299BCB00ABA8EC85F9A77ECFB08348F180561F945E7240EA74E5048790
                                                                      Function 02B4EC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B4EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02B4EC0A,00000000,80000001,?,02B4DB55,7FFF0001), ref: 02B4EBAD
                                                                        • Part of subcall function 02B4EBA0: HeapSize.KERNEL32(00000000,?,02B4DB55,7FFF0001), ref: 02B4EBB4
                                                                      • GetProcessHeap.KERNEL32(00000000,02B4EA27,00000000,02B4EA27,00000000), ref: 02B4EC41
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 02B4EC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$FreeSize
                                                                      • String ID:
                                                                      • API String ID: 1305341483-0
                                                                      • Opcode ID: 788906dc49cb4472560aef74eb20013271afa97f22ed3e9227c37f87c3f31ddf
                                                                      • Instruction ID: aeb93961e6d47e5c0dbf6da1d214d4bdd15742c7c47826c40e10eef3d5901de8
                                                                      • Opcode Fuzzy Hash: 788906dc49cb4472560aef74eb20013271afa97f22ed3e9227c37f87c3f31ddf
                                                                      • Instruction Fuzzy Hash: 51C01232846730ABC5513660B94CF9B6B58EF49B51F090C49F5056B0408B60988056E2
                                                                      Function 02B4EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B4EBFE,7FFF0001,?,02B4DB55,7FFF0001), ref: 02B4EBD3
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,02B4DB55,7FFF0001), ref: 02B4EBDA
                                                                        • Part of subcall function 02B4EB74: GetProcessHeap.KERNEL32(00000000,00000000,02B4EC28,00000000,?,02B4DB55,7FFF0001), ref: 02B4EB81
                                                                        • Part of subcall function 02B4EB74: HeapSize.KERNEL32(00000000,?,02B4DB55,7FFF0001), ref: 02B4EB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocateSize
                                                                      • String ID:
                                                                      • API String ID: 2559512979-0
                                                                      • Opcode ID: 49590ae92b0354f77509aa7b5ad57342f356c21092dd4227e826b9db92a7547d
                                                                      • Instruction ID: a824eebf23652b7b39481e64b9af29c0bd5dc62e13e100342e3fa01cbd7d2331
                                                                      • Opcode Fuzzy Hash: 49590ae92b0354f77509aa7b5ad57342f356c21092dd4227e826b9db92a7547d
                                                                      • Instruction Fuzzy Hash: DCC01232A483306BC60137A4B808B9A2A98AB08BA2F040844FA09CA150CA2088908AA2
                                                                      Function 02B4F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • recv.WS2_32(000000C8,?,00000000,02B4CA44), ref: 02B4F476
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: recv
                                                                      • String ID:
                                                                      • API String ID: 1507349165-0
                                                                      • Opcode ID: 33531acb21f41e4abc7ce87cdecfc4c2da0926322d308841a5839796c3d3591f
                                                                      • Instruction ID: 61cd8c1da5ad88205160a42b5e6633736e3ae1516c26878b86cc094e3841aca8
                                                                      • Opcode Fuzzy Hash: 33531acb21f41e4abc7ce87cdecfc4c2da0926322d308841a5839796c3d3591f
                                                                      • Instruction Fuzzy Hash: 86F08C3220015AAB9F019E9ADC84CBB3BAEFB893507480562FA44D7110DE31E8209BA0
                                                                      Function 02B41978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • closesocket.WS2_32(00000000), ref: 02B41992
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesocket
                                                                      • String ID:
                                                                      • API String ID: 2781271927-0
                                                                      • Opcode ID: 842db3302bd7a6c67a19faded2a100bfe9344c3d1bb3449ebb82a76aa95469eb
                                                                      • Instruction ID: d26f32b8dc3e0d1639a6c2031be38c7fdeeade6ae533f37d9da5d09cda645b55
                                                                      • Opcode Fuzzy Hash: 842db3302bd7a6c67a19faded2a100bfe9344c3d1bb3449ebb82a76aa95469eb
                                                                      • Instruction Fuzzy Hash: 9DD022325883312A42003718B80047FAB9CDF082B2701881AFC8CC1100CF30C8829B92
                                                                      Function 02B4DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02B4DDB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 1586166983-0
                                                                      • Opcode ID: 09de215a345b6a33779808df282858fb07beef52b9d74cdb7fffe3d90a4e6f55
                                                                      • Instruction ID: 9dacab68d5bab1d460f99a8986ed7a004c53bfdd07f4a792077d32849159bd82
                                                                      • Opcode Fuzzy Hash: 09de215a345b6a33779808df282858fb07beef52b9d74cdb7fffe3d90a4e6f55
                                                                      • Instruction Fuzzy Hash: F3F08C32201313CBCB20CE2498C4756B3E8EF8A729F584DAEE555D3140DF30D855EB11

                                                                      Non-executed Functions

                                                                      Function 02B4637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02B49816,EntryPoint), ref: 02B4638F
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02B49816,EntryPoint), ref: 02B463A9
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02B463CA
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02B463EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 585daecc3a6deeba87f7cbcbb80959eb48b6f01d551c67dacaf5297403fb805f
                                                                      • Instruction ID: 15bc0a02184be5f79a606bfcb6ed12ea142755c62908db09b7d1bd63defc1cd1
                                                                      • Opcode Fuzzy Hash: 585daecc3a6deeba87f7cbcbb80959eb48b6f01d551c67dacaf5297403fb805f
                                                                      • Instruction Fuzzy Hash: 6011A771A40229BFDB115F69DC49F9B3BACEF057A8F004464F904DB240DB70DC109AA0
                                                                      Function 02B41000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02B41839,02B49646), ref: 02B41012
                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02B410C2
                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02B410E1
                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02B41101
                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02B41121
                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02B41140
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02B41160
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02B41180
                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02B4119F
                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02B411BF
                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02B411DF
                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02B411FE
                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02B4121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: e023be660172cf7eb432fae1de850566a70d0e4ec28537de979204de1dfa5013
                                                                      • Instruction ID: ca9120e4736453f9263205a1555fbdfd13ed1bd3d92ee426f29d3dd40f61c2d2
                                                                      • Opcode Fuzzy Hash: e023be660172cf7eb432fae1de850566a70d0e4ec28537de979204de1dfa5013
                                                                      • Instruction Fuzzy Hash: 0751A5F1DA272196E7118AACA88079136E5E7483E4F1407D6AE2ADB3E0DB70C4D1DF61
                                                                      Function 02B4B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 02B4B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 02B4B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 02B4B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B4B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 02B4B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 02B4B329
                                                                      • wsprintfA.USER32 ref: 02B4B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: 40efee0768d487b2d51be4950bb4746cd2821a7744462a7eff0ccff5665b8b57
                                                                      • Instruction ID: 524c31108007885868fd5469981232677de1b723363c763f29640c057d5992cf
                                                                      • Opcode Fuzzy Hash: 40efee0768d487b2d51be4950bb4746cd2821a7744462a7eff0ccff5665b8b57
                                                                      • Instruction Fuzzy Hash: 3E5130B2D0022CAACF54EFD5D9846EFBBB9FF4D308F1048D9EA01AA150D7745A89DB50
                                                                      Function 02B46511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: 83341f0d1d561414fa0135c9c52c2260146ebb23e80dfa0efcb40f2916a86239
                                                                      • Instruction ID: 9e41adb396649036e5a59ec0443881862656c87f7ed220cb2e7a5b4cb0c7782b
                                                                      • Opcode Fuzzy Hash: 83341f0d1d561414fa0135c9c52c2260146ebb23e80dfa0efcb40f2916a86239
                                                                      • Instruction Fuzzy Hash: 80617C72940218AFEF60AFA4DC85FEA77E9FF09300F1484A9F969D7121DA7199509F10
                                                                      Function 02B4A7C1 Relevance: 40.5, APIs: 8, Strings: 15, Instructions: 299networkstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$ $AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-4264063882
                                                                      • Opcode ID: af47f23c015c3e06778aae8b776bb9385b7db61d85afb4c481e478057a782fcd
                                                                      • Instruction ID: d1efe7c1bc26e47d7d2bd8b8cc09c1b87299d4636f32cb0757a9ec11395b720d
                                                                      • Opcode Fuzzy Hash: af47f23c015c3e06778aae8b776bb9385b7db61d85afb4c481e478057a782fcd
                                                                      • Instruction Fuzzy Hash: D5A13B719C4325ABFF219A54DCE5FAE3B6AFB04308F1408D6F902AB090DF31A954EB51
                                                                      Function 02B41280 Relevance: 30.2, APIs: 9, Strings: 8, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 02B4139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 02B41571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-1839596206
                                                                      • Opcode ID: 806f2951282283199fb9f80930eee2e9f730c3c578a2309a57c7ff3b2654939f
                                                                      • Instruction ID: af7dca4faf994ec2e786d609d424d5333afe644cba6c58f4b1f8e858d40d6cb0
                                                                      • Opcode Fuzzy Hash: 806f2951282283199fb9f80930eee2e9f730c3c578a2309a57c7ff3b2654939f
                                                                      • Instruction Fuzzy Hash: F2F18EB19183519FD720DF68C8C8BAAB7E5FB88344F044D5DFA9A9B240DB74D884CB52
                                                                      Function 02B42A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7622F380), ref: 02B42A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7622F380), ref: 02B42A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 02B42AA0
                                                                      • htons.WS2_32(00000000), ref: 02B42ADB
                                                                      • select.WS2_32 ref: 02B42B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 02B42B4A
                                                                      • htons.WS2_32(?), ref: 02B42B71
                                                                      • htons.WS2_32(?), ref: 02B42B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02B42BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 8f8d9d3d6bec9e1c4c848c2fe5db4b3f4535b2da47be753864d1270589f69490
                                                                      • Instruction ID: db7fcaa7cc1a1bb19ef3086defb13a7ddc4f9173d5e3a6cc8d3f6f8af6c56d82
                                                                      • Opcode Fuzzy Hash: 8f8d9d3d6bec9e1c4c848c2fe5db4b3f4535b2da47be753864d1270589f69490
                                                                      • Instruction Fuzzy Hash: A861F5719043159FD720AF61DC88B6BBBE8FB88785F000C49FD859B141DBB0D980BBA2
                                                                      Function 02B4704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,76230F10,?,76230F10,00000000), ref: 02B470C2
                                                                      • RegEnumValueA.ADVAPI32(76230F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,76230F10,00000000), ref: 02B4719E
                                                                      • RegCloseKey.ADVAPI32(76230F10,?,76230F10,00000000), ref: 02B471B2
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 02B47208
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 02B47291
                                                                      • ___ascii_stricmp.LIBCMT ref: 02B472C2
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 02B472D0
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 02B47314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02B4738D
                                                                      • RegCloseKey.ADVAPI32(76230F10), ref: 02B473D8
                                                                        • Part of subcall function 02B4F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02B522F8,000000C8,02B47150,?), ref: 02B4F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"
                                                                      • API String ID: 4293430545-3817095088
                                                                      • Opcode ID: 8854993e1ca0b446684980cf7ca0d4062c92b20263b85400620b531c6d782a79
                                                                      • Instruction ID: 99c19224503219fd4a88dacd6c1167307c4b2b32619eb3f43d25380f6620b61a
                                                                      • Opcode Fuzzy Hash: 8854993e1ca0b446684980cf7ca0d4062c92b20263b85400620b531c6d782a79
                                                                      • Instruction Fuzzy Hash: 45B18371944219AFDF159FA4DC84FEEB7B9EF04304F1005A6F901E6190EF719A84EB61
                                                                      Function 02B4AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 02B4AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02B4ADA6
                                                                        • Part of subcall function 02B4AD08: gethostname.WS2_32(?,00000080), ref: 02B4AD1C
                                                                        • Part of subcall function 02B4AD08: lstrlenA.KERNEL32(?), ref: 02B4AD60
                                                                        • Part of subcall function 02B4AD08: lstrlenA.KERNEL32(?), ref: 02B4AD69
                                                                        • Part of subcall function 02B4AD08: lstrcpyA.KERNEL32(?,LocalHost), ref: 02B4AD7F
                                                                        • Part of subcall function 02B430B5: gethostname.WS2_32(?,00000080), ref: 02B430D8
                                                                        • Part of subcall function 02B430B5: gethostbyname.WS2_32(?), ref: 02B430E2
                                                                      • wsprintfA.USER32 ref: 02B4AEA5
                                                                        • Part of subcall function 02B4A7A3: inet_ntoa.WS2_32(00000000), ref: 02B4A7A9
                                                                      • wsprintfA.USER32 ref: 02B4AE4F
                                                                      • wsprintfA.USER32 ref: 02B4AE5E
                                                                        • Part of subcall function 02B4EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02B4EF92
                                                                        • Part of subcall function 02B4EF7C: lstrlenA.KERNEL32(?), ref: 02B4EF99
                                                                        • Part of subcall function 02B4EF7C: lstrlenA.KERNEL32(00000000), ref: 02B4EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: 357bb284eb60c2bc7f8b67313c672ca7f9dad824cd31794b8e2c518b4568794b
                                                                      • Instruction ID: 97be765b508c4f6776b2a2ab91217e903893dd2b6057b1c9527430f5a8d446b3
                                                                      • Opcode Fuzzy Hash: 357bb284eb60c2bc7f8b67313c672ca7f9dad824cd31794b8e2c518b4568794b
                                                                      • Instruction Fuzzy Hash: B84111B294021CABEF25EFA0DC85FEF3BADFF08300F144896B91596151EA71D5549F50
                                                                      Function 02B42DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,762323A0,?,000DBBA0,?,00000000,02B42F0F,?,02B420FF,02B52000), ref: 02B42E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02B42F0F,?,02B420FF,02B52000), ref: 02B42E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02B42E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02B42F0F,?,02B420FF,02B52000), ref: 02B42E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,02B42F0F,?,02B420FF,02B52000), ref: 02B42E4F
                                                                      • htons.WS2_32(00000035), ref: 02B42E88
                                                                      • inet_addr.WS2_32(?), ref: 02B42E93
                                                                      • gethostbyname.WS2_32(?), ref: 02B42EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02B42F0F,?,02B420FF,02B52000), ref: 02B42EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,02B42F0F,?,02B420FF,02B52000), ref: 02B42EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: 0b2e5bfcbdd7b306e99cd090c002fef1a9fd5f4c02efc70c98bf207b4f662c56
                                                                      • Instruction ID: dcea9aaa02b3d0267a7a63234df8e2fc03fe14b5d7430842378873ff4cb3b80d
                                                                      • Opcode Fuzzy Hash: 0b2e5bfcbdd7b306e99cd090c002fef1a9fd5f4c02efc70c98bf207b4f662c56
                                                                      • Instruction Fuzzy Hash: 1131C431D8031AABDF11ABB89884BAE7778EF08764F140995FD18EB280DF30D552BB50
                                                                      Function 02B49326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,02B49DD7,?,00000022,?,?,00000000,00000001), ref: 02B49340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02B49DD7,?,00000022,?,?,00000000,00000001), ref: 02B4936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,02B49DD7,?,00000022,?,?,00000000,00000001), ref: 02B49375
                                                                      • wsprintfA.USER32 ref: 02B493CE
                                                                      • wsprintfA.USER32 ref: 02B4940C
                                                                      • wsprintfA.USER32 ref: 02B4948D
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02B494F1
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B49526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02B49571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: runas
                                                                      • API String ID: 3696105349-4000483414
                                                                      • Opcode ID: 7cafa597281c6f433c57338a42ac1ef044f679ec9ec1621e8d825c6f207a94bb
                                                                      • Instruction ID: 747978c7897b97dfe06f2144ede38ab958653005b5396eb1312eef78af6b92ff
                                                                      • Opcode Fuzzy Hash: 7cafa597281c6f433c57338a42ac1ef044f679ec9ec1621e8d825c6f207a94bb
                                                                      • Instruction Fuzzy Hash: C0A1AEB2940658AFEB21AFA0CC85FDF3BACEB08344F100496FE0596151DB71D584EFA1
                                                                      Function 02B4B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 02B4B467
                                                                        • Part of subcall function 02B4EF7C: lstrlenA.KERNEL32(?,?,00000000,?,?), ref: 02B4EF92
                                                                        • Part of subcall function 02B4EF7C: lstrlenA.KERNEL32(?), ref: 02B4EF99
                                                                        • Part of subcall function 02B4EF7C: lstrlenA.KERNEL32(00000000), ref: 02B4EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: bd0e5111652ece322025582abcd2a6c9d1bb8611daa2a5544ccd3ec5694c298f
                                                                      • Instruction ID: aa487d8ca77c1430bc7d95eb82d22d8f0cb577b5273b87b4c89e5af632f28c51
                                                                      • Opcode Fuzzy Hash: bd0e5111652ece322025582abcd2a6c9d1bb8611daa2a5544ccd3ec5694c298f
                                                                      • Instruction Fuzzy Hash: 18414EB29401297EEF01AAA4CCC1DBF7B6DFF49748F140595FE05B6011EE31EA14ABA1
                                                                      Function 02B42011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B42078
                                                                      • GetTickCount.KERNEL32 ref: 02B420D4
                                                                      • GetTickCount.KERNEL32 ref: 02B420DB
                                                                      • GetTickCount.KERNEL32 ref: 02B4212B
                                                                      • GetTickCount.KERNEL32 ref: 02B42132
                                                                      • GetTickCount.KERNEL32 ref: 02B42142
                                                                        • Part of subcall function 02B4F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02B4E342,00000000,75B4EA50,80000001,00000000,02B4E513,?,00000000,00000000,?,000000E4), ref: 02B4F089
                                                                        • Part of subcall function 02B4F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02B4E342,00000000,75B4EA50,80000001,00000000,02B4E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02B4F093
                                                                        • Part of subcall function 02B4E854: lstrcpyA.KERNEL32(00000001,?,?,02B4D8DF,00000001,localcfg,except_info,00100000,02B50264), ref: 02B4E88B
                                                                        • Part of subcall function 02B4E854: lstrlenA.KERNEL32(00000001,?,02B4D8DF,00000001,localcfg,except_info,00100000,02B50264), ref: 02B4E899
                                                                        • Part of subcall function 02B41C5F: wsprintfA.USER32 ref: 02B41CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: 1842695174d7ebe36a1f39c32ecbc88dd4ed411322b77c74409b636ccd6f2c48
                                                                      • Instruction ID: 411bf1b245b6958fbbc3c899c3601cd8007cd323803027172861fab84d1eb216
                                                                      • Opcode Fuzzy Hash: 1842695174d7ebe36a1f39c32ecbc88dd4ed411322b77c74409b636ccd6f2c48
                                                                      • Instruction Fuzzy Hash: 9D512175D863565EE728EF24EDC5B263BD5EB04344F00089AFE858B290DFB1A094FA21
                                                                      Function 02B4C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B4A4C7: GetTickCount.KERNEL32 ref: 02B4A4D1
                                                                        • Part of subcall function 02B4A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02B4A4FA
                                                                      • GetTickCount.KERNEL32 ref: 02B4C31F
                                                                      • GetTickCount.KERNEL32 ref: 02B4C32B
                                                                      • GetTickCount.KERNEL32 ref: 02B4C363
                                                                      • GetTickCount.KERNEL32 ref: 02B4C378
                                                                      • GetTickCount.KERNEL32 ref: 02B4C44D
                                                                      • InterlockedIncrement.KERNEL32(02B4C4E4), ref: 02B4C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,02B4B535,00000000,?,02B4C4E0), ref: 02B4C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,02B4C4E0,02B53588,02B48810), ref: 02B4C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: aca5cf02933fc4d2e27592ead18ad67ccf0f303c206983824516ce1734938067
                                                                      • Instruction ID: 01375f74819ca5a6dc72cc875da2c9d5abfc246f0d839525751aeb3ae17ae7fa
                                                                      • Opcode Fuzzy Hash: aca5cf02933fc4d2e27592ead18ad67ccf0f303c206983824516ce1734938067
                                                                      • Instruction Fuzzy Hash: B6518FB1A01B418FD7249F69C6C462ABBE9FB48704B549D3EE18BC7A90DB74F840DB14
                                                                      Function 02B4BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02B4BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02B4BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02B4BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02B4BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02B4BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02B4BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-1625972887
                                                                      • Opcode ID: 9cecfe119d3e3098e80e98a0bd4f9f218fc68ea1cb3c6d82a841cad810110867
                                                                      • Instruction ID: 9f2c8d8e0da20ee96557009a95fd3954e730ba1a16a775a6cd5eaea8f302f0ea
                                                                      • Opcode Fuzzy Hash: 9cecfe119d3e3098e80e98a0bd4f9f218fc68ea1cb3c6d82a841cad810110867
                                                                      • Instruction Fuzzy Hash: BE519071E0061AAFDF119E68C8C0B6EBBA9EF44348F0445D9EE459B251DB30E951EF90
                                                                      Function 02B46A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,76228A60,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46A7D
                                                                      • GetDiskFreeSpaceA.KERNEL32(02B49E9D,02B49A60,?,?,?,02B522F8,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02B49A60,?,?,02B49E9D), ref: 02B46B80
                                                                      • GetLastError.KERNEL32(?,?,?,02B49A60,?,?,02B49E9D,?,?,?,?,?,02B49E9D,?,00000022,?), ref: 02B46B96
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 3188212458-0
                                                                      • Opcode ID: 912745b763395b2c21a081b17ba6d526cbae76192484eecb33686c103bdb4f96
                                                                      • Instruction ID: 74f1abe30b8bb072e69a46c5f39dcd1a66a9a513b6c985f9c4c4a2e20e6fb0b5
                                                                      • Opcode Fuzzy Hash: 912745b763395b2c21a081b17ba6d526cbae76192484eecb33686c103bdb4f96
                                                                      • Instruction Fuzzy Hash: 8431E4B2D0024DAFDB01AFA08885BDFBB7DFF49380F0448A6E651A7100DB3095549F61
                                                                      Function 02B46F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,02B4D7C3), ref: 02B46F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02B4D7C3), ref: 02B46FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02B46FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 02B4701F
                                                                      • wsprintfA.USER32 ref: 02B47036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: f12909375bb19e14f46041b419b3095ec22527ff515575d63d1baf5247e15c47
                                                                      • Instruction ID: a28345189954a3ffaf8a95b40798a7bd90cb38c1e2a1fa97884bd02f28048f21
                                                                      • Opcode Fuzzy Hash: f12909375bb19e14f46041b419b3095ec22527ff515575d63d1baf5247e15c47
                                                                      • Instruction Fuzzy Hash: CA31FD72900219AFDB01DFA4D884BDE7BBCEF09354F148596F859DB200DB75E604DB94
                                                                      Function 02B46CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02B522F8,000000E4,02B46DDC,000000C8), ref: 02B46CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02B46CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02B46D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02B46D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                      • API String ID: 1082366364-3395550214
                                                                      • Opcode ID: 490600c2701974c79377fc14b1d6c6c00cd135fde97e92d399670decbcf4110e
                                                                      • Instruction ID: 4fcb9a60f797be2b8b522a65484917964a834c3355a3a75510ad63597b5892f6
                                                                      • Opcode Fuzzy Hash: 490600c2701974c79377fc14b1d6c6c00cd135fde97e92d399670decbcf4110e
                                                                      • Instruction Fuzzy Hash: 7221D151A8236479F72666225CC8FB72F9DCB4B788F0908C4FC44AF081CF958486A6A6
                                                                      Function 02B4977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,02B49947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02B522F8), ref: 02B497B1
                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02B522F8), ref: 02B497EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02B522F8), ref: 02B497F9
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02B522F8), ref: 02B49831
                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02B522F8), ref: 02B4984E
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02B522F8), ref: 02B4985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: 442a44f0d029b2cfbfb7e9f949c17474b836eff8c4975547984bd392552525fa
                                                                      • Instruction ID: 09369ce07a804820010fda5e784127632d3d2b3de67949be086ed1bebbc3472a
                                                                      • Opcode Fuzzy Hash: 442a44f0d029b2cfbfb7e9f949c17474b836eff8c4975547984bd392552525fa
                                                                      • Instruction Fuzzy Hash: 22212E71D41229ABDB11AFA1DC89FEF7B7CEF09794F0008A1F919E6040EB309654DBA1
                                                                      Function 02B4E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B4DD05: GetTickCount.KERNEL32 ref: 02B4DD0F
                                                                        • Part of subcall function 02B4DD05: InterlockedExchange.KERNEL32(02B536B4,00000001), ref: 02B4DD44
                                                                        • Part of subcall function 02B4DD05: GetCurrentThreadId.KERNEL32 ref: 02B4DD53
                                                                        • Part of subcall function 02B4DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02B4DDB5
                                                                      • lstrcpynA.KERNEL32(?,02B41E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02B4EAAA,?,?), ref: 02B4E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02B4EAAA,?,?,00000001,?,02B41E84,?), ref: 02B4E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02B4EAAA,?,?,00000001,?,02B41E84,?,0000000A), ref: 02B4E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02B4EAAA,?,?,00000001,?,02B41E84,?), ref: 02B4E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: beda793e9fbd31f6a98685cc37de7e17ccc4cef37afb543c36e231417842550b
                                                                      • Instruction ID: a38bcfc21399240146341c82939848c3a2903e1bad729cb4b438d4804608cfa5
                                                                      • Opcode Fuzzy Hash: beda793e9fbd31f6a98685cc37de7e17ccc4cef37afb543c36e231417842550b
                                                                      • Instruction Fuzzy Hash: 1D511E72D0020AAFCB11EFA8C9C49AEB7F9FF48304F1445AAE515A7210EB35EA159F50
                                                                      Function 02B46BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: 90d32068bbb8ecb33db729e850f95094e8f91993a747c27a33b077cff704403c
                                                                      • Instruction ID: 0f20ad26ce10bcdaffd746e791256116baf57f04d46dfaa0f08bab47bd9f4eb6
                                                                      • Opcode Fuzzy Hash: 90d32068bbb8ecb33db729e850f95094e8f91993a747c27a33b077cff704403c
                                                                      • Instruction Fuzzy Hash: B8218172904225FFDB116BA4EDC9E9F7BACEF093A4B144895F502E6041EF31DA10E674
                                                                      Function 02B49064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,02B522F8), ref: 02B4907B
                                                                      • wsprintfA.USER32 ref: 02B490E9
                                                                      • CreateFileA.KERNEL32(02B522F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B4910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02B49122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02B4912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 02B49134
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: 8035b21a36ab1da9852e3b3a66a062ee6a6a297ee5eff223033b126091915d2a
                                                                      • Instruction ID: 050241a28e2214c2de436a0363c1c6e97f9b00efbd741a753e0ab42b47d1550f
                                                                      • Opcode Fuzzy Hash: 8035b21a36ab1da9852e3b3a66a062ee6a6a297ee5eff223033b126091915d2a
                                                                      • Instruction Fuzzy Hash: 8D119AB6A405247BF7257631DC49FAF366EDFC8700F0488A5BF0AE6051EE708A519A60
                                                                      Function 02B4DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B4DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02B4DD20
                                                                      • GetTickCount.KERNEL32 ref: 02B4DD2E
                                                                      • Sleep.KERNEL32(00000000,?,76230F10,?,00000000,02B4E538,?,76230F10,?,00000000,?,02B4A445), ref: 02B4DD3B
                                                                      • InterlockedExchange.KERNEL32(02B536B4,00000001), ref: 02B4DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02B4DD53
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 3561cd37a5711731624363c6e5dfae86a548d1208bfb67fa71cbd3a2c434d11d
                                                                      • Instruction ID: f43001c01098785160b89864912feb834b443d3dc0376d16534b4662541ee255
                                                                      • Opcode Fuzzy Hash: 3561cd37a5711731624363c6e5dfae86a548d1208bfb67fa71cbd3a2c434d11d
                                                                      • Instruction Fuzzy Hash: 75F0E272988339AFC7806BA5A8D4B293BE5EB493D2F040C99E709CB340CB245065DF22
                                                                      Function 02B4AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 02B4AD1C
                                                                      • lstrlenA.KERNEL32(?), ref: 02B4AD60
                                                                      • lstrlenA.KERNEL32(?), ref: 02B4AD69
                                                                      • lstrcpyA.KERNEL32(?,LocalHost), ref: 02B4AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 49fdd741be856b0a219f05001fb3df5c03faf7a360fa33abac85231c70ac789e
                                                                      • Instruction ID: 8f2d8137f53a315bde74dac60dfab9b753e71f75b413a6da9526a9fa54a63b68
                                                                      • Opcode Fuzzy Hash: 49fdd741be856b0a219f05001fb3df5c03faf7a360fa33abac85231c70ac789e
                                                                      • Instruction Fuzzy Hash: 550145248C42A95EDF351A3888E4BF43F6AEF8A74AF0404D5E4C08B111EF24A083A762
                                                                      Function 02B44280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02B498FD,00000001,00000100,02B522F8,02B4A3C7), ref: 02B44290
                                                                      • CloseHandle.KERNEL32(02B4A3C7), ref: 02B443AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 02B443AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID:
                                                                      • API String ID: 1371578007-0
                                                                      • Opcode ID: e12a1811cd1b27f8aaffa3e634fd8bae7b640f50a22df2b45907d17962dc9fd2
                                                                      • Instruction ID: 6040bde362c82e8a496e1d07c836ff7ab87a76c38f9f98f986ede0127c57a933
                                                                      • Opcode Fuzzy Hash: e12a1811cd1b27f8aaffa3e634fd8bae7b640f50a22df2b45907d17962dc9fd2
                                                                      • Instruction Fuzzy Hash: A8419F71D00209BBDF10ABA1DDC5FAFBFB9EF44364F2045A5F615A6180DB349A50EBA0
                                                                      Function 02B46069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02B464CF,00000000), ref: 02B4609C
                                                                      • LoadLibraryA.KERNEL32(?,?,02B464CF,00000000), ref: 02B460C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 02B4614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02B4619E
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: f2c4f439a87714c75a8ddc1b7649684dd68b03edf35c655e33240f51cb1639be
                                                                      • Instruction ID: db52e029b08be0861f4c367fc85a66eab555ba18f839411e0b0478f0611aff3a
                                                                      • Opcode Fuzzy Hash: f2c4f439a87714c75a8ddc1b7649684dd68b03edf35c655e33240f51cb1639be
                                                                      • Instruction Fuzzy Hash: 4C416D71E00206AFDB14CF58C8C4B69B7B9FF05758F1484A9E815D7391DB30E984EB90
                                                                      Function 02B42923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8a85cd7ea409518bd8430b727a058b2724ed2a93a51f7e53e2858ed42b3b2d4c
                                                                      • Instruction ID: 288e28e854358262a203d12fb4cdd568239a4005d9a351d0e47b064d5dc243fb
                                                                      • Opcode Fuzzy Hash: 8a85cd7ea409518bd8430b727a058b2724ed2a93a51f7e53e2858ed42b3b2d4c
                                                                      • Instruction Fuzzy Hash: E7317C71A00219ABDB109FA5CCC1BBEB7F4EF48741F104896FD54EA241EA74D681AB50
                                                                      Function 02B426FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B4272E
                                                                      • htons.WS2_32(00000001), ref: 02B42752
                                                                      • htons.WS2_32(0000000F), ref: 02B427D5
                                                                      • htons.WS2_32(00000001), ref: 02B427E3
                                                                      • sendto.WS2_32(?,02B52BF8,00000009,00000000,00000010,00000010), ref: 02B42802
                                                                        • Part of subcall function 02B4EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02B4EBFE,7FFF0001,?,02B4DB55,7FFF0001), ref: 02B4EBD3
                                                                        • Part of subcall function 02B4EBCC: RtlAllocateHeap.NTDLL(00000000,?,02B4DB55,7FFF0001), ref: 02B4EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1128258776-0
                                                                      • Opcode ID: 889712beb4732b31b5f6ca0f6580827ecdbf0994783e12f8fae0475da379346a
                                                                      • Instruction ID: 64e1c1b0c3ec07a368f035509dc802671d715a2782fd83649af0da43099624b8
                                                                      • Opcode Fuzzy Hash: 889712beb4732b31b5f6ca0f6580827ecdbf0994783e12f8fae0475da379346a
                                                                      • Instruction Fuzzy Hash: 04314534A823D69FD7109F74D8C0F657B60EF19358B1988ADEC558F312DA32D892EB10
                                                                      Function 02B49145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02B522F8), ref: 02B4915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02B49166
                                                                      • CharToOemA.USER32(?,?), ref: 02B49174
                                                                      • wsprintfA.USER32 ref: 02B491A9
                                                                        • Part of subcall function 02B49064: GetTempPathA.KERNEL32(00000400,?,00000000,02B522F8), ref: 02B4907B
                                                                        • Part of subcall function 02B49064: wsprintfA.USER32 ref: 02B490E9
                                                                        • Part of subcall function 02B49064: CreateFileA.KERNEL32(02B522F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02B4910E
                                                                        • Part of subcall function 02B49064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02B49122
                                                                        • Part of subcall function 02B49064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02B4912D
                                                                        • Part of subcall function 02B49064: CloseHandle.KERNEL32(00000000), ref: 02B49134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02B491E1
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: 8a7e28b238da3a24c43ac35fa8ca142c06333b36337925af1f2c7cb461794226
                                                                      • Instruction ID: 2f4bbdadef5740220d9658695b8f6344f393ba81dc0c601282c20251ebd09483
                                                                      • Opcode Fuzzy Hash: 8a7e28b238da3a24c43ac35fa8ca142c06333b36337925af1f2c7cb461794226
                                                                      • Instruction Fuzzy Hash: E2015EF69402687BEB20A6619D89FDF7B7CDB99B01F000891BB49E6040EA7096C59F71
                                                                      Function 02B42419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02B42491,?,?,?,02B4E844,-00000030,?,?,?,00000001), ref: 02B42429
                                                                      • lstrlenA.KERNEL32(?,?,02B42491,?,?,?,02B4E844,-00000030,?,?,?,00000001,02B41E3D,00000001,localcfg,lid_file_upd), ref: 02B4243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 02B42452
                                                                      • lstrlenA.KERNEL32(?,?,02B42491,?,?,?,02B4E844,-00000030,?,?,?,00000001,02B41E3D,00000001,localcfg,lid_file_upd), ref: 02B42467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: 4c82ffd767fc98d8699a7f380a67062862ebef1999e675b7044204250b82eff7
                                                                      • Instruction ID: c5f61a99f37c18bb0d7a6823282b0895fa4ee88637130975dfcd70dde4b290f1
                                                                      • Opcode Fuzzy Hash: 4c82ffd767fc98d8699a7f380a67062862ebef1999e675b7044204250b82eff7
                                                                      • Instruction Fuzzy Hash: F601DA31A00218AFCF11EF69DC849DE7BA9EF44394B49C465FD59D7201E730EA50EB90
                                                                      Function 02B41C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 9fd2d690591a1ccc13ccbe15261fa7ebe58f858cdc1946ff2cb38a14deb3d952
                                                                      • Instruction ID: 52bb7bcb1d40df579ba6c0ea603f71f939afc4b4bafbec987c7e308a96ce0a62
                                                                      • Opcode Fuzzy Hash: 9fd2d690591a1ccc13ccbe15261fa7ebe58f858cdc1946ff2cb38a14deb3d952
                                                                      • Instruction Fuzzy Hash: 47418C729042989FDF21DEB98984BEE3BE9AF49310F240095FD64D7151DA34D604DBA0
                                                                      Function 02B4E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B4DD05: GetTickCount.KERNEL32 ref: 02B4DD0F
                                                                        • Part of subcall function 02B4DD05: InterlockedExchange.KERNEL32(02B536B4,00000001), ref: 02B4DD44
                                                                        • Part of subcall function 02B4DD05: GetCurrentThreadId.KERNEL32 ref: 02B4DD53
                                                                      • lstrcmpA.KERNEL32(76230F18,00000000,?,76230F10,00000000,?,02B45EC1), ref: 02B4E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,76230F10,00000000,?,02B45EC1), ref: 02B4E6E9
                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,76230F10,00000000,?,02B45EC1), ref: 02B4E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: 89ABCDEF
                                                                      • API String ID: 3343386518-71641322
                                                                      • Opcode ID: 2747b97098d5dd786e25176dfd650ad65d99d1dba98bdf8f0f391a3bcbccd455
                                                                      • Instruction ID: 8da42ad84403d3249009190f3f175b7351234a99329be02a7d608fab3519bf86
                                                                      • Opcode Fuzzy Hash: 2747b97098d5dd786e25176dfd650ad65d99d1dba98bdf8f0f391a3bcbccd455
                                                                      • Instruction Fuzzy Hash: C831ED32A01326DFCB318F64D8C4B6B77E5FF05364F1448AAE9458B542EB70E880EB81
                                                                      Function 02B4E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,02B4E2A3,00000000,00000000,00000000,00020106,00000000,02B4E2A3,00000000,000000E4), ref: 02B4E0B2
                                                                      • RegSetValueExA.ADVAPI32(02B4E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02B522F8), ref: 02B4E127
                                                                      • RegDeleteValueA.ADVAPI32(02B4E2A3,?,?,?,?,?,000000C8,02B522F8), ref: 02B4E158
                                                                      • RegCloseKey.ADVAPI32(02B4E2A3,?,?,?,?,000000C8,02B522F8,?,?,?,?,?,?,?,?,02B4E2A3), ref: 02B4E161
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 38a000596df9354b40954b9587cff90b5f80625388f852a1d12cd6c6d820b1ad
                                                                      • Instruction ID: f775a997cf5a40c5eb4519d81906c5ac035898b463ac44b33868cdc240ef302e
                                                                      • Opcode Fuzzy Hash: 38a000596df9354b40954b9587cff90b5f80625388f852a1d12cd6c6d820b1ad
                                                                      • Instruction Fuzzy Hash: 50217C71A40229BBDF209EA4DC89E9E7FB9EF08790F0440A1F904A6150EA71DA54DB90
                                                                      Function 02B43F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,02B4A3C7,00000000,00000000,000007D0,00000001), ref: 02B43FB8
                                                                      • GetLastError.KERNEL32 ref: 02B43FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02B43FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B43FE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: e753420873e189b6dd1a227f5123fb4fa5cf3e16096e86bb6c520afef10c1904
                                                                      • Instruction ID: a2793c2cf931b6df8238ea4b2231388fab229e334b5e61f4ef94aa881b5b08d9
                                                                      • Opcode Fuzzy Hash: e753420873e189b6dd1a227f5123fb4fa5cf3e16096e86bb6c520afef10c1904
                                                                      • Instruction Fuzzy Hash: 5501177291021AABDF01DF90D985BEF7BBCFB08355F144492F902E6040DB319A249BA1
                                                                      Function 02B43F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,02B4A3C7,00000000,00000000,000007D0,00000001), ref: 02B43F44
                                                                      • GetLastError.KERNEL32 ref: 02B43F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02B43F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B43F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: e2de9a7bcd8c778690b1a5f4d155a128b5090a20eebf004ede993a0e940ba6ca
                                                                      • Instruction ID: 5c131d251dd6cc5f0c51ff4115215e6c1b0148f44899d1ff803d9222a0c06d1c
                                                                      • Opcode Fuzzy Hash: e2de9a7bcd8c778690b1a5f4d155a128b5090a20eebf004ede993a0e940ba6ca
                                                                      • Instruction Fuzzy Hash: 2D01D772911219ABDF01DF90D984BEF7BBCFB08395F1449A6FA01E6040D7309A249BA1
                                                                      Function 02B44E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B44E9E
                                                                      • GetTickCount.KERNEL32 ref: 02B44EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 02B44EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02B44EC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: af78be4d9eba96efb44c5046e52b91819bcf503542311407bebb9faa4f7f8f03
                                                                      • Instruction ID: 6e18c086af9354276a25932313fa54328f0800c649d43afabaa2effaaf6b9175
                                                                      • Opcode Fuzzy Hash: af78be4d9eba96efb44c5046e52b91819bcf503542311407bebb9faa4f7f8f03
                                                                      • Instruction Fuzzy Hash: C6E0863268132857D61036B9ACC4F6B76599F493B1F090D71FB09D7140CA96D46255B1
                                                                      Function 02B4A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B4A4D1
                                                                      • GetTickCount.KERNEL32 ref: 02B4A4E4
                                                                      • Sleep.KERNEL32(00000000,?,02B4C2E9,02B4C4E0,00000000,localcfg,?,02B4C4E0,02B53588,02B48810), ref: 02B4A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02B4A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: c8e878d884c13b00a129214b855d4529e039389783588a015c599f863a640e25
                                                                      • Instruction ID: 7db104f7a338402be98d282c684a3af67778062adf7219fa2314bab20c21cb64
                                                                      • Opcode Fuzzy Hash: c8e878d884c13b00a129214b855d4529e039389783588a015c599f863a640e25
                                                                      • Instruction Fuzzy Hash: B0E0263328032867C60037A5ACC4F6F3388EF4D7A1F0D08A1FF04E7140CA16A55196B2
                                                                      Function 02B44BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B44BDD
                                                                      • GetTickCount.KERNEL32 ref: 02B44BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,0301E06C,02B450F2), ref: 02B44BF9
                                                                      • InterlockedExchange.KERNEL32(0301E060,00000001), ref: 02B44C02
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 798824589ed1dd997141d36adb8e8eaf3000ab901349396e7910f26fbd1e94c0
                                                                      • Instruction ID: d40d8cebac429f74bd66904ad76a31be29d9a19aa2364c377b15e874048a1a29
                                                                      • Opcode Fuzzy Hash: 798824589ed1dd997141d36adb8e8eaf3000ab901349396e7910f26fbd1e94c0
                                                                      • Instruction Fuzzy Hash: 41E0863668132867C61036A55DC0F5A7768DF493A2F0A0CA2FB08D7140C956946156B1
                                                                      Function 02B430FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02B43103
                                                                      • GetTickCount.KERNEL32 ref: 02B4310F
                                                                      • Sleep.KERNEL32(00000000), ref: 02B4311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02B43128
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: fdfc5fc4c9fcb461e322ef4a64c94bd96afb4dcb2b5027e908062bdfe676e594
                                                                      • Instruction ID: f6746dd6d00c7803adbf9ec34868c8c20eda78faeac7480cbb06accab9369570
                                                                      • Opcode Fuzzy Hash: fdfc5fc4c9fcb461e322ef4a64c94bd96afb4dcb2b5027e908062bdfe676e594
                                                                      • Instruction Fuzzy Hash: 52E0C231640329ABDB003B75ADC5B4A6B9ADF887A1F190CB1F601EB090CA5048509A72
                                                                      Function 02B48CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: 0c630e7fdfebab25a5b180e67bc551f08367327a4ad3d649db9ee3b798ceebd0
                                                                      • Instruction ID: c5bf01e3b42add10cdd1c8c80b859e0184a0d3a3f07f00a527dcca96809081b5
                                                                      • Opcode Fuzzy Hash: 0c630e7fdfebab25a5b180e67bc551f08367327a4ad3d649db9ee3b798ceebd0
                                                                      • Instruction Fuzzy Hash: 9321A232A12625AFDB149FA8DCD565ABBBAEF20394B2944DDD401DB211CF30E940DB50
                                                                      Function 02B4BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02B4C057
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 638944d02c55df65210069afe3c5923d1ccab63db52ac436076c513fc026ccaf
                                                                      • Instruction ID: df7da744b6d59034e238d9e4c05f3167d66c4292079e3991d3a1e9adc5be6940
                                                                      • Opcode Fuzzy Hash: 638944d02c55df65210069afe3c5923d1ccab63db52ac436076c513fc026ccaf
                                                                      • Instruction Fuzzy Hash: A4119772500110FFDB429AA9CD44E567FA6FF8C358B34859CF6188E166D633D863EB50
                                                                      Function 02B426B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02B426C3
                                                                      • inet_ntoa.WS2_32(?), ref: 02B426E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d1bae42f87d5a87513af5ef79106be8b848bf92bc772d0a4fc5bef6f2f518ca1
                                                                      • Instruction ID: cda26d53dffdc197d4b2ee39e94f884558e9dc7e4883a9208718e66ea1231271
                                                                      • Opcode Fuzzy Hash: d1bae42f87d5a87513af5ef79106be8b848bf92bc772d0a4fc5bef6f2f518ca1
                                                                      • Instruction Fuzzy Hash: BCF012325482197BEB006EA4EC45BAA379DEB09754F144865FD08DA090DF71E950AB98
                                                                      Function 02B49961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(hvjnshqw,Function_00009867), ref: 02B4996C
                                                                        • Part of subcall function 02B49892: SetServiceStatus.ADVAPI32(02B53394), ref: 02B498EB
                                                                        • Part of subcall function 02B498F2: Sleep.KERNEL32(000003E8,00000100,02B522F8,02B4A3C7), ref: 02B49909
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                      • String ID: Xd|$hvjnshqw
                                                                      • API String ID: 1317371667-1444363091
                                                                      • Opcode ID: 7d665667e81d105b6a98f888c771736448280abe1dde77ed6c710880e6955c1d
                                                                      • Instruction ID: b797a0547523c0065d76504c2eaab6f4c720ac48281406b33a1d31fc9b187658
                                                                      • Opcode Fuzzy Hash: 7d665667e81d105b6a98f888c771736448280abe1dde77ed6c710880e6955c1d
                                                                      • Instruction Fuzzy Hash: 45F089B1DC0714AEF2106F545CD6B13339DE7503C8F0484E5B7054E240EFB54824AA21
                                                                      Function 02B4EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,02B4EB54,_alldiv,02B4F0B7,80000001,00000000,00989680,00000000,?,?,?,02B4E342,00000000,75B4EA50,80000001,00000000), ref: 02B4EAF2
                                                                      • GetProcAddress.KERNEL32(77310000,00000000), ref: 02B4EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: df5da11de002888fa75da9911fc18e8d363c111df8860d874ecb520065d0b657
                                                                      • Instruction ID: 87a71438f9eacc362f082e4b69fa74b233640eb059f0105bb981d2d86c75f067
                                                                      • Opcode Fuzzy Hash: df5da11de002888fa75da9911fc18e8d363c111df8860d874ecb520065d0b657
                                                                      • Instruction Fuzzy Hash: A7D0C934A843629B9F125F68998AF4576E8FB587C1B404C99F40ADB200EB31E464EA01
                                                                      Function 02B42F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02B42D21: GetModuleHandleA.KERNEL32(00000000,762323A0,?,00000000,02B42F01,?,02B420FF,02B52000), ref: 02B42D3A
                                                                        • Part of subcall function 02B42D21: LoadLibraryA.KERNEL32(?), ref: 02B42D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B42F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 02B42F7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.3360799224.0000000002B40000.00000040.00000400.00020000.00000000.sdmp, Offset: 02B40000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_2b40000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 8be4bce2352fbd1d09260200748c2948bc8f7d12f3452b3ad49cf6ff4dbe4b18
                                                                      • Instruction ID: b9efdeac0d15595eb9a643245289206f3ef2ebca3024bae523d6dd4713d64706
                                                                      • Opcode Fuzzy Hash: 8be4bce2352fbd1d09260200748c2948bc8f7d12f3452b3ad49cf6ff4dbe4b18
                                                                      • Instruction Fuzzy Hash: C95191719002169FDF01DF64D888AF9B7B5FF09304F2446A9EC96D7210EB32EA19DB90