Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dIg0MWRViP.exe

Overview

General Information

Sample name:dIg0MWRViP.exe
renamed because original name is a hash value
Original sample name:a6c7dd82eace106350d20d93956360e6.exe
Analysis ID:1444764
MD5:a6c7dd82eace106350d20d93956360e6
SHA1:19c5ea0607b527e4c2b08a39583db38f503933e0
SHA256:b7ab94357342f73380569c9b23bc81741e1784b8a7cfdfe8df680000a1f3da1f
Tags:32exetrojan
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • dIg0MWRViP.exe (PID: 5436 cmdline: "C:\Users\user\Desktop\dIg0MWRViP.exe" MD5: A6C7DD82EACE106350D20D93956360E6)
    • cmd.exe (PID: 5100 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\soirllif\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2828 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\rdliobhf.exe" C:\Windows\SysWOW64\soirllif\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7204 cmdline: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7252 cmdline: "C:\Windows\System32\sc.exe" description soirllif "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7320 cmdline: "C:\Windows\System32\sc.exe" start soirllif MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7456 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1032 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rdliobhf.exe (PID: 7372 cmdline: C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d"C:\Users\user\Desktop\dIg0MWRViP.exe" MD5: 0E6E38A8AE20C869A188C52EA93ADF1C)
    • svchost.exe (PID: 7392 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 7512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 544 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7408 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7444 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7372 -ip 7372 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7500 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5436 -ip 5436 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000B.00000002.1728761636.00000000026F8000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1498:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x1598:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    Click to see the 24 entries
    SourceRuleDescriptionAuthorStrings
    11.3.rdliobhf.exe.24e0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    11.3.rdliobhf.exe.24e0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xe110:$s2: loader_id
    • 0xe140:$s3: start_srv
    • 0xe170:$s4: lid_file_upd
    • 0xe164:$s5: localcfg
    • 0xe894:$s6: Incorrect respons
    0.3.dIg0MWRViP.exe.3fa0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0.3.dIg0MWRViP.exe.3fa0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0xe110:$s2: loader_id
    • 0xe140:$s3: start_srv
    • 0xe170:$s4: lid_file_upd
    • 0xe164:$s5: localcfg
    • 0xe894:$s6: Incorrect respons
    11.2.rdliobhf.exe.24c0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    Click to see the 39 entries

    System Summary

    barindex
    Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d"C:\Users\user\Desktop\dIg0MWRViP.exe", ParentImage: C:\Windows\SysWOW64\soirllif\rdliobhf.exe, ParentProcessId: 7372, ParentProcessName: rdliobhf.exe, ProcessCommandLine: svchost.exe, ProcessId: 7392, ProcessName: svchost.exe
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\dIg0MWRViP.exe", ParentImage: C:\Users\user\Desktop\dIg0MWRViP.exe, ParentProcessId: 5436, ParentProcessName: dIg0MWRViP.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7204, ProcessName: sc.exe
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.47.53.36, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7392, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d"C:\Users\user\Desktop\dIg0MWRViP.exe", ParentImage: C:\Windows\SysWOW64\soirllif\rdliobhf.exe, ParentProcessId: 7372, ParentProcessName: rdliobhf.exe, ProcessCommandLine: svchost.exe, ProcessId: 7392, ProcessName: svchost.exe
    Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7392, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\soirllif
    Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\dIg0MWRViP.exe", ParentImage: C:\Users\user\Desktop\dIg0MWRViP.exe, ParentProcessId: 5436, ParentProcessName: dIg0MWRViP.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7204, ProcessName: sc.exe
    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7408, ProcessName: svchost.exe
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: vanaheim.cn:443URL Reputation: Label: malware
    Source: jotunheim.name:443URL Reputation: Label: malware
    Source: C:\Users\user\AppData\Local\Temp\rdliobhf.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
    Source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
    Source: vanaheim.cnVirustotal: Detection: 15%Perma Link
    Source: dIg0MWRViP.exeReversingLabs: Detection: 34%
    Source: dIg0MWRViP.exeVirustotal: Detection: 41%Perma Link
    Source: C:\Users\user\AppData\Local\Temp\rdliobhf.exeJoe Sandbox ML: detected
    Source: dIg0MWRViP.exeJoe Sandbox ML: detected

    Compliance

    barindex
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeUnpacked PE file: 0.2.dIg0MWRViP.exe.400000.0.unpack
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeUnpacked PE file: 11.2.rdliobhf.exe.400000.0.unpack
    Source: dIg0MWRViP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Change of critical system settings

    barindex
    Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\soirllifJump to behavior

    Networking

    barindex
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.94 25Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 141.8.199.94 443Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
    Source: Malware configuration extractorURLs: vanaheim.cn:443
    Source: Malware configuration extractorURLs: jotunheim.name:443
    Source: Joe Sandbox ViewIP Address: 67.195.228.94 67.195.228.94
    Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
    Source: Joe Sandbox ViewIP Address: 104.47.53.36 104.47.53.36
    Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
    Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
    Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
    Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 104.47.53.36:25
    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 67.195.228.94:25
    Source: global trafficTCP traffic: 192.168.2.4:49740 -> 142.251.168.26:25
    Source: global trafficTCP traffic: 192.168.2.4:49743 -> 217.69.139.150:25
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
    Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
    Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
    Source: global trafficDNS traffic detected: DNS query: yahoo.com
    Source: global trafficDNS traffic detected: DNS query: mta7.am0.yahoodns.net
    Source: global trafficDNS traffic detected: DNS query: google.com
    Source: global trafficDNS traffic detected: DNS query: smtp.google.com
    Source: global trafficDNS traffic detected: DNS query: mail.ru
    Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443

    Spam, unwanted Advertisements and Ransom Demands

    barindex
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dIg0MWRViP.exe PID: 5436, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: rdliobhf.exe PID: 7372, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7392, type: MEMORYSTR

    System Summary

    barindex
    Source: 11.3.rdliobhf.exe.24e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.3.rdliobhf.exe.24e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.2.rdliobhf.exe.24c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.2.rdliobhf.exe.24c0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0000000B.00000002.1728761636.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
    Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
    Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
    Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
    Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\soirllif\Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0040C9130_2_0040C913
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_0040C91311_2_0040C913
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F1C91312_2_02F1C913
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: String function: 0040EE2A appears 40 times
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: String function: 00402544 appears 53 times
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: String function: 024F27AB appears 35 times
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7372 -ip 7372
    Source: dIg0MWRViP.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 11.3.rdliobhf.exe.24e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.3.rdliobhf.exe.24e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.2.rdliobhf.exe.24c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.2.rdliobhf.exe.24c0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0000000B.00000002.1728761636.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
    Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
    Source: classification engineClassification label: mal100.troj.evad.winEXE@30/3@9/5
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0237E5C6 CreateToolhelp32Snapshot,Module32First,0_2_0237E5C6
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F19A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_02F19A6B
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7500:64:WilError_03
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7444:64:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeFile created: C:\Users\user\AppData\Local\Temp\rdliobhf.exeJump to behavior
    Source: dIg0MWRViP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: dIg0MWRViP.exeReversingLabs: Detection: 34%
    Source: dIg0MWRViP.exeVirustotal: Detection: 41%
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeFile read: C:\Users\user\Desktop\dIg0MWRViP.exeJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-14862
    Source: unknownProcess created: C:\Users\user\Desktop\dIg0MWRViP.exe "C:\Users\user\Desktop\dIg0MWRViP.exe"
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\soirllif\
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\rdliobhf.exe" C:\Windows\SysWOW64\soirllif\
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support"
    Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description soirllif "wifi internet conection"
    Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start soirllif
    Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\soirllif\rdliobhf.exe C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d"C:\Users\user\Desktop\dIg0MWRViP.exe"
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7372 -ip 7372
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5436 -ip 5436
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 544
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1032
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\soirllif\Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\rdliobhf.exe" C:\Windows\SysWOW64\soirllif\Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description soirllif "wifi internet conection"Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start soirllifJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7372 -ip 7372Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5436 -ip 5436Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 544Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1032Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeSection loaded: msimg32.dllJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeSection loaded: msvcr100.dllJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

    Data Obfuscation

    barindex
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeUnpacked PE file: 0.2.dIg0MWRViP.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeUnpacked PE file: 11.2.rdliobhf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeUnpacked PE file: 0.2.dIg0MWRViP.exe.400000.0.unpack
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeUnpacked PE file: 11.2.rdliobhf.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_023818AE push 0000002Bh; iretd 0_2_023818B4
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_026FC7AE push 0000002Bh; iretd 11_2_026FC7B4

    Persistence and Installation Behavior

    barindex
    Source: unknownExecutable created and started: C:\Windows\SysWOW64\soirllif\rdliobhf.exe
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeFile created: C:\Users\user\AppData\Local\Temp\rdliobhf.exeJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\soirllif\rdliobhf.exe (copy)Jump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\soirllif\rdliobhf.exe (copy)Jump to dropped file
    Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soirllifJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support"

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\dig0mwrvip.exeJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,12_2_02F1199C
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-16180
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15271
    Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-7856
    Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_12-6146
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16020
    Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-7332
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15948
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_11-14996
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15063
    Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_12-7449
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-14878
    Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-6176
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14837
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeAPI coverage: 5.7 %
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeAPI coverage: 4.4 %
    Source: C:\Windows\SysWOW64\svchost.exe TID: 7584Thread sleep count: 39 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exe TID: 7584Thread sleep time: -39000s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
    Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
    Source: svchost.exe, 0000000C.00000002.2944653347.0000000003400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeAPI call chain: ExitProcess graph end nodegraph_0-15269
    Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_12-6180

    Anti Debugging

    barindex
    Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-7671
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_11-16241
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0237DEA3 push dword ptr fs:[00000030h]0_2_0237DEA3
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_024F092B mov eax, dword ptr fs:[00000030h]0_2_024F092B
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_024F0D90 mov eax, dword ptr fs:[00000030h]0_2_024F0D90
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_024C092B mov eax, dword ptr fs:[00000030h]11_2_024C092B
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_024C0D90 mov eax, dword ptr fs:[00000030h]11_2_024C0D90
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_026F8DA3 push dword ptr fs:[00000030h]11_2_026F8DA3
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0040EC2E GetProcessHeap,RtlFreeHeap,0_2_0040EC2E
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F19A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_02F19A6B

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.94 25Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 141.8.199.94 443Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.53.36 25Jump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 142.251.168.26 25Jump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2F10000 protect: page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F10000 value starts with: 4D5AJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F10000Jump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3084008Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\soirllif\Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\rdliobhf.exe" C:\Windows\SysWOW64\soirllif\Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description soirllif "wifi internet conection"Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start soirllifJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7372 -ip 7372Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5436 -ip 5436Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 544Jump to behavior
    Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1032Jump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dIg0MWRViP.exe PID: 5436, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: rdliobhf.exe PID: 7372, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7392, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24c0e67.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24e0000.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.svchost.exe.2f10000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.24e0000.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.3.dIg0MWRViP.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.2.rdliobhf.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.svchost.exe.2f10000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 11.3.rdliobhf.exe.24e0000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.dIg0MWRViP.exe.24f0e67.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dIg0MWRViP.exe PID: 5436, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: rdliobhf.exe PID: 7372, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7392, type: MEMORYSTR
    Source: C:\Users\user\Desktop\dIg0MWRViP.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
    Source: C:\Windows\SysWOW64\soirllif\rdliobhf.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
    Source: C:\Windows\SysWOW64\svchost.exeCode function: 12_2_02F188B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_02F188B0
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire Infrastructure1
    Valid Accounts
    41
    Native API
    1
    DLL Side-Loading
    1
    DLL Side-Loading
    3
    Disable or Modify Tools
    OS Credential Dumping2
    System Time Discovery
    Remote Services1
    Archive Collected Data
    1
    Ingress Tool Transfer
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts2
    Command and Scripting Interpreter
    1
    Valid Accounts
    1
    Valid Accounts
    1
    Deobfuscate/Decode Files or Information
    LSASS Memory1
    Account Discovery
    Remote Desktop ProtocolData from Removable Media12
    Encrypted Channel
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts3
    Service Execution
    14
    Windows Service
    1
    Access Token Manipulation
    2
    Obfuscated Files or Information
    Security Account Manager1
    File and Directory Discovery
    SMB/Windows Admin SharesData from Network Shared Drive1
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
    Windows Service
    2
    Software Packing
    NTDS15
    System Information Discovery
    Distributed Component Object ModelInput Capture112
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
    Process Injection
    1
    DLL Side-Loading
    LSA Secrets111
    Security Software Discovery
    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    File Deletion
    Cached Domain Credentials11
    Virtualization/Sandbox Evasion
    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
    Masquerading
    DCSync1
    Process Discovery
    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    Valid Accounts
    Proc Filesystem1
    System Owner/User Discovery
    Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
    Virtualization/Sandbox Evasion
    /etc/passwd and /etc/shadow1
    System Network Configuration Discovery
    Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
    Access Token Manipulation
    Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
    Process Injection
    Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1444764 Sample: dIg0MWRViP.exe Startdate: 21/05/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 10 other signatures 2->77 8 rdliobhf.exe 2->8         started        11 dIg0MWRViP.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Found API chain indicative of debugger detection 8->83 89 3 other signatures 8->89 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\rdliobhf.exe, PE32 11->49 dropped 85 Uses netsh to modify the Windows network and firewall settings 11->85 87 Modifies the windows firewall 11->87 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta7.am0.yahoodns.net 67.195.228.94, 25 YAHOO-GQ1US United States 16->51 53 vanaheim.cn 141.8.199.94, 443, 49732, 49741 SPRINTHOSTRU Russian Federation 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\rdliobhf.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    dIg0MWRViP.exe34%ReversingLabs
    dIg0MWRViP.exe41%VirustotalBrowse
    dIg0MWRViP.exe100%Joe Sandbox ML
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\rdliobhf.exe100%AviraTR/Crypt.EPACK.Gen2
    C:\Users\user\AppData\Local\Temp\rdliobhf.exe100%Joe Sandbox ML
    No Antivirus matches
    SourceDetectionScannerLabelLink
    mxs.mail.ru0%VirustotalBrowse
    mta7.am0.yahoodns.net1%VirustotalBrowse
    microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
    vanaheim.cn15%VirustotalBrowse
    yahoo.com1%VirustotalBrowse
    mail.ru0%VirustotalBrowse
    smtp.google.com0%VirustotalBrowse
    google.com1%VirustotalBrowse
    SourceDetectionScannerLabelLink
    vanaheim.cn:443100%URL Reputationmalware
    jotunheim.name:443100%URL Reputationmalware
    NameIPActiveMaliciousAntivirus DetectionReputation
    mxs.mail.ru
    217.69.139.150
    truetrueunknown
    mta7.am0.yahoodns.net
    67.195.228.94
    truetrueunknown
    microsoft-com.mail.protection.outlook.com
    104.47.53.36
    truetrueunknown
    vanaheim.cn
    141.8.199.94
    truetrueunknown
    smtp.google.com
    142.251.168.26
    truefalseunknown
    google.com
    unknown
    unknowntrueunknown
    yahoo.com
    unknown
    unknowntrueunknown
    mail.ru
    unknown
    unknowntrueunknown
    NameMaliciousAntivirus DetectionReputation
    vanaheim.cn:443true
    • URL Reputation: malware
    unknown
    jotunheim.name:443true
    • URL Reputation: malware
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    67.195.228.94
    mta7.am0.yahoodns.netUnited States
    36647YAHOO-GQ1UStrue
    141.8.199.94
    vanaheim.cnRussian Federation
    35278SPRINTHOSTRUtrue
    142.251.168.26
    smtp.google.comUnited States
    15169GOOGLEUSfalse
    217.69.139.150
    mxs.mail.ruRussian Federation
    47764MAILRU-ASMailRuRUtrue
    104.47.53.36
    microsoft-com.mail.protection.outlook.comUnited States
    8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1444764
    Start date and time:2024-05-21 07:52:07 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 27s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:24
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:dIg0MWRViP.exe
    renamed because original name is a hash value
    Original Sample Name:a6c7dd82eace106350d20d93956360e6.exe
    Detection:MAL
    Classification:mal100.troj.evad.winEXE@30/3@9/5
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 65
    • Number of non-executed functions: 253
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.236.44.162, 20.70.246.20, 20.231.239.246, 20.76.201.171
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtEnumerateKey calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    TimeTypeDescription
    01:53:47API Interceptor12x Sleep call for process: svchost.exe modified
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    67.195.228.94SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
      file.exeGet hashmaliciousPhorpiexBrowse
        WtRLqa6ZXn.exeGet hashmaliciousUnknownBrowse
          newtpp.exeGet hashmaliciousPhorpiexBrowse
            gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
              file.exeGet hashmaliciousTofseeBrowse
                file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                  l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                    message.elm.exeGet hashmaliciousUnknownBrowse
                      test.dat.exeGet hashmaliciousUnknownBrowse
                        141.8.199.94rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                          217.69.139.150rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                            OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                              G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                  x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                    EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                      OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                        0bv3c9AqYs.exeGet hashmaliciousPushdoBrowse
                                          gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                            CX17SY6xF6.exeGet hashmaliciousPushdoBrowse
                                              104.47.53.36OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                  kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                      L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                        file.exeGet hashmaliciousTofseeBrowse
                                                          mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                            t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                              lhs31fcc2k0lmr.exeGet hashmaliciousTofseeBrowse
                                                                SecuriteInfo.com.Win32.TrojanX-gen.5284.17028.exeGet hashmaliciousTofseeBrowse
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  mta7.am0.yahoodns.netrpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  • 98.136.96.91
                                                                  SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                  • 67.195.228.94
                                                                  SecuriteInfo.com.Win32.BotX-gen.31335.5127.exeGet hashmaliciousTofseeBrowse
                                                                  • 67.195.204.73
                                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                                  • 67.195.228.111
                                                                  file.exeGet hashmaliciousPhorpiexBrowse
                                                                  • 98.136.96.77
                                                                  RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                  • 67.195.204.79
                                                                  3pYA64ZwEC.exeGet hashmaliciousUnknownBrowse
                                                                  • 98.136.96.77
                                                                  newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                  • 98.136.96.91
                                                                  7b8wRbnmKu.exeGet hashmaliciousUnknownBrowse
                                                                  • 67.195.204.79
                                                                  file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                  • 67.195.204.79
                                                                  microsoft-com.mail.protection.outlook.comrpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  • 104.47.54.36
                                                                  OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                  • 104.47.53.36
                                                                  DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                  • 104.47.53.36
                                                                  kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                  • 52.101.11.0
                                                                  Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                  • 104.47.53.36
                                                                  L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                  • 52.101.11.0
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 52.101.11.0
                                                                  sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                                                  • 52.101.11.0
                                                                  mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                  • 104.47.53.36
                                                                  U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                  • 52.101.40.26
                                                                  vanaheim.cnrpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  • 141.8.199.94
                                                                  OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                  • 109.107.161.150
                                                                  DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                  • 85.208.208.90
                                                                  kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                  • 77.232.138.239
                                                                  Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                  • 5.188.88.112
                                                                  L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                  • 5.188.88.112
                                                                  file.exeGet hashmaliciousTofseeBrowse
                                                                  • 5.188.88.112
                                                                  mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                  • 194.169.163.56
                                                                  U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                  • 194.169.163.56
                                                                  bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                  • 194.169.163.56
                                                                  mxs.mail.rurpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  • 217.69.139.150
                                                                  OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                  • 217.69.139.150
                                                                  a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                  • 94.100.180.31
                                                                  G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                  • 217.69.139.150
                                                                  x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                  • 217.69.139.150
                                                                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                  • 94.100.180.31
                                                                  PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                                  • 217.69.139.150
                                                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                  • 217.69.139.150
                                                                  rLDmqbpt5D.exeGet hashmaliciousPushdo, DanaBot, RedLine, SmokeLoaderBrowse
                                                                  • 94.100.180.31
                                                                  .exeGet hashmaliciousUnknownBrowse
                                                                  • 94.100.180.31
                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  MAILRU-ASMailRuRUrpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  • 217.69.139.150
                                                                  uUyFtCTKDd.elfGet hashmaliciousMiraiBrowse
                                                                  • 94.100.184.243
                                                                  https://www.ixxin.cn/go.html?url=https://ok.me/b5SG1?M6bxrJ9vlWS?MtRgHryntBJGet hashmaliciousGRQ ScamBrowse
                                                                  • 217.20.155.6
                                                                  OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                  • 217.69.139.150
                                                                  c40snYcuW6.elfGet hashmaliciousMiraiBrowse
                                                                  • 5.61.23.80
                                                                  arm7.elfGet hashmaliciousMiraiBrowse
                                                                  • 217.69.134.17
                                                                  SkM9yWax29.elfGet hashmaliciousMiraiBrowse
                                                                  • 178.237.22.126
                                                                  base.apkGet hashmaliciousAnubis BankBotBrowse
                                                                  • 178.237.20.131
                                                                  UD6c1o6Fhg.elfGet hashmaliciousMiraiBrowse
                                                                  • 94.100.184.227
                                                                  BSKbaZ6Mij.elfGet hashmaliciousMiraiBrowse
                                                                  • 94.100.184.245
                                                                  SPRINTHOSTRUrpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  • 141.8.199.94
                                                                  ckx1nc2UXk.exeGet hashmaliciousBlank Grabber, DCRat, Umbral Stealer, XWormBrowse
                                                                  • 141.8.192.103
                                                                  qxHQmnOvjL.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.195.33
                                                                  9hupFTW1CI.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.192.93
                                                                  l35QvlkTXb.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.197.42
                                                                  WVswy22Yv1.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.192.169
                                                                  Se7CZnlXZZ.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                  • 141.8.192.82
                                                                  R29s0ssNyZ.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.192.126
                                                                  nXaujG6G1F.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                  • 141.8.192.103
                                                                  n0mtzNARob.exeGet hashmaliciousDCRatBrowse
                                                                  • 141.8.197.42
                                                                  YAHOO-GQ1USGK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                                                                  • 98.136.201.234
                                                                  n6UMcur8v3.elfGet hashmaliciousMiraiBrowse
                                                                  • 98.137.238.181
                                                                  zGP5DlrwgZ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                  • 98.137.103.190
                                                                  9g5gIOlb47.elfGet hashmaliciousMiraiBrowse
                                                                  • 98.139.117.88
                                                                  https://www.googleadservices.com/pagead/aclk?sa=L&ai=CEPSIY7k7Zpu1AY3rkPIP8q21mAvP_pi8d4PY85XiEsq6jPG-ARABIPT5xiVgyeaGi7ykoBqgAcCz_YIDyAEC4AIAqAMByAMIqgSdAk_QZfhjp8EKKRw8Ud-sac3T3jbhfjxjJ1sRhgU3SOjAuI5huqeTvemsIazylmO5A9WU45_edGutcUqL46MvuNtxU89a64S7xhljcSlyUs-dysnWLJ2j0jUpH_gKnco9owTuaX1dg-lH7IYSpQI3MKj-Dr00v1SC_8ZhuzoINVR1E2pcblzJpyD5_udwujRkOY3Fao0Lt8Mai9Sq-EbJfdXMijbwOeNV94FwcwlSMZ7he13IkHy_a1HexFAPvo5qqjQXKG7VuYCajYpF3q5URq0loIuDY5WXWNc5RPV77yzvPDM2ytOukuK76vBmfoFdcFIyWUc5xZIVsm9dr8SzjJNE1z63RwDOkXHpq4VxrPcl1gRfUlqaUGyYeMbOoMAEp9WvltcE4AQBiAWQgcDhTpAGAaAGAoAHqMyCfYgHAZAHAqgH2baxAqgH1ckbqAemvhuoB47OG6gHk9gbqAfulrECqAf-nrECqAevvrECqAeaBqgH89EbqAeW2BuoB6qbsQKoB4OtsQKoB-C9sQKoB_-esQKoB9-fsQKoB_jCsQKoB_vCsQLYBwHSCCcIABACGB0yAQA6Dp_QgICAgASAwICAgKAoSL39wTpYjsuajM3-hQOxCUbAF_v0mAHVgAoDmAsByAsBqg0CVVPIDQHiDRMIlf2ajM3-hQMVjTVECB3yVg2z2BMM0BUB-BYBgBcBshgJEgLeaBgCIgEA6BgB&ae=1&gclid=Cj0KCQjwxeyxBhC7ARIsAC7dS38YLg3rX_OKomm_dfFxFHKQ-xaABBJ-7gCz8VhxHk9qVjyKpQQOlOIaAvqNEALw_wcB&num=1&cid=CAQSQwB7FLtqgUEuOym-5Tn68arUiPJ1jdwPgw46Y6zUHfAkI3hTIEhGQzVeYafsm9LBj6pxutwTRiLFJPhCq9OvYdD7CqQYAQ&sig=AOD64_2G4fRbd2sH1E5jnf1iXQS4SW_Q2g&client=ca-pub-6396844742497208&rf=5&nx=CLICK_X&ny=CLICK_Y&uap=UACH(platform)&uapv=UACH(platformVersion)&uaa=UACH(architecture)&uam=UACH(model)&uafv=UACH(uaFullVersion)&uab=UACH(bitness)&uaw=UACH(wow64)&uafvl=UACH(fullVersionList)&nb=2&adurl=https://browsingwithwave.com/%3Fsrc%3Dd-aff16-cp21142438032%26ob%3Dobgcobedobem%26dvc%3Dc%26k%3D%26crt%3D695418066867%26adp%3D%26plc%3D%26tgt%3D%26sl%3D%26cpd%3D21142438032%26iid%3Dwav%26gclid%3DCj0KCQjwxeyxBhC7ARIsAC7dS38YLg3rX_OKomm_dfFxFHKQ-xaABBJ-7gCz8VhxHk9qVjyKpQQOlOIaAvqNEALw_wcBGet hashmaliciousUnknownBrowse
                                                                  • 98.136.144.138
                                                                  https://t.co/yKnQGIBNmnGet hashmaliciousHTMLPhisherBrowse
                                                                  • 74.6.160.138
                                                                  SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                  • 67.195.228.94
                                                                  z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                                                                  • 67.195.12.34
                                                                  OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                  • 67.195.228.110
                                                                  q5C2tw1Pc6.elfGet hashmaliciousMiraiBrowse
                                                                  • 67.195.2.124
                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSPGA_Champ_2024_runde4.xlsmGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  xfO72LuQ7K.elfGet hashmaliciousUnknownBrowse
                                                                  • 52.125.178.87
                                                                  zDAH4anUtC.elfGet hashmaliciousUnknownBrowse
                                                                  • 20.61.249.236
                                                                  Inventory_list.xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  Lek#U00e9rdez#U00e9s 220062 .xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                  • 13.107.246.40
                                                                  PON2401071.xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.45
                                                                  Purchase order 0012May21-24.xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.246.67
                                                                  Plat#U0103 Factura MTL11852.xlsGet hashmaliciousUnknownBrowse
                                                                  • 13.107.213.67
                                                                  la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                  • 51.122.163.175
                                                                  No context
                                                                  No context
                                                                  Process:C:\Users\user\Desktop\dIg0MWRViP.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12872704
                                                                  Entropy (8bit):4.325440067725303
                                                                  Encrypted:false
                                                                  SSDEEP:3072:DpkXzxIGzA9aUo/PhcnVHUtoe5K9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9:+D+5+Q
                                                                  MD5:0E6E38A8AE20C869A188C52EA93ADF1C
                                                                  SHA1:F6F6E263C9177F84C34CDABC686B49A08D20E9C1
                                                                  SHA-256:EB54F57C84194A68A9458840C945D1B406F5D7A46C9F31C3BE357116B698A112
                                                                  SHA-512:B046EB35AE01E14E21B49494223EB97DE2CFB0F0F601994506369203A0A18D0B689C9E3E1BB95E510E651A2F0E00A8EE221FD8F9E0D0BEABA6DEBDB761B9DDD7
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Bl.E,?.E,?.E,?V..?.E,?...?.E,?...?.E,?...?.E,?.W?.E,?.E-?.E,?...?.E,?...?.E,?...?.E,?Rich.E,?........................PE..L...=n^e.....................$....................@.................................GN..........................................P...................................................................................................................text............................... ..`.rdata..fc.......d..................@..@.data...\...........................@....rsrc...........F...&..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):12872704
                                                                  Entropy (8bit):4.325440067725303
                                                                  Encrypted:false
                                                                  SSDEEP:3072:DpkXzxIGzA9aUo/PhcnVHUtoe5K9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9l9:+D+5+Q
                                                                  MD5:0E6E38A8AE20C869A188C52EA93ADF1C
                                                                  SHA1:F6F6E263C9177F84C34CDABC686B49A08D20E9C1
                                                                  SHA-256:EB54F57C84194A68A9458840C945D1B406F5D7A46C9F31C3BE357116B698A112
                                                                  SHA-512:B046EB35AE01E14E21B49494223EB97DE2CFB0F0F601994506369203A0A18D0B689C9E3E1BB95E510E651A2F0E00A8EE221FD8F9E0D0BEABA6DEBDB761B9DDD7
                                                                  Malicious:true
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Bl.E,?.E,?.E,?V..?.E,?...?.E,?...?.E,?...?.E,?.W?.E,?.E-?.E,?...?.E,?...?.E,?...?.E,?Rich.E,?........................PE..L...=n^e.....................$....................@.................................GN..........................................P...................................................................................................................text............................... ..`.rdata..fc.......d..................@..@.data...\...........................@....rsrc...........F...&..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):3773
                                                                  Entropy (8bit):4.7109073551842435
                                                                  Encrypted:false
                                                                  SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                  MD5:DA3247A302D70819F10BCEEBAF400503
                                                                  SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                  SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                  SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                  Malicious:false
                                                                  Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):5.830307196101327
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:dIg0MWRViP.exe
                                                                  File size:182'272 bytes
                                                                  MD5:a6c7dd82eace106350d20d93956360e6
                                                                  SHA1:19c5ea0607b527e4c2b08a39583db38f503933e0
                                                                  SHA256:b7ab94357342f73380569c9b23bc81741e1784b8a7cfdfe8df680000a1f3da1f
                                                                  SHA512:6e3d950e1a16103710985e9e0993f26ece5f7d67eadbd711941e826117d0d884624ddf166d3a70e25453518bb2f7d9a9c2dede25f6785dcb24d6031ba29c419e
                                                                  SSDEEP:1536:DAc76NGJEzLoCPMkXzxIGzA9aRmNjo/Phcnr6xMtxUtoIlESP5tA9bDQqpN+X:D7kXzxIGzA9aUo/PhcnVHUtoe5K9
                                                                  TLSH:27049E113A90D031ED9FC7364A25F2E09A2A7C61A7F1C19F3780767F1EB32D19A1A365
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Bl.E,?.E,?.E,?V..?.E,?...?.E,?...?.E,?...?.E,?..W?.E,?.E-?.E,?...?.E,?...?.E,?...?.E,?Rich.E,?........................PE..L..
                                                                  Icon Hash:17794cb2b24d2117
                                                                  Entrypoint:0x4015f7
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x655E6E3D [Wed Nov 22 21:10:21 2023 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:0
                                                                  File Version Major:5
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:3b7ea5b6d78948c9d917846499b5c3b5
                                                                  Instruction
                                                                  call 00007F09D0D27403h
                                                                  jmp 00007F09D0D2374Dh
                                                                  mov edi, edi
                                                                  push ebp
                                                                  mov ebp, esp
                                                                  sub esp, 00000328h
                                                                  mov dword ptr [00423438h], eax
                                                                  mov dword ptr [00423434h], ecx
                                                                  mov dword ptr [00423430h], edx
                                                                  mov dword ptr [0042342Ch], ebx
                                                                  mov dword ptr [00423428h], esi
                                                                  mov dword ptr [00423424h], edi
                                                                  mov word ptr [00423450h], ss
                                                                  mov word ptr [00423444h], cs
                                                                  mov word ptr [00423420h], ds
                                                                  mov word ptr [0042341Ch], es
                                                                  mov word ptr [00423418h], fs
                                                                  mov word ptr [00423414h], gs
                                                                  pushfd
                                                                  pop dword ptr [00423448h]
                                                                  mov eax, dword ptr [ebp+00h]
                                                                  mov dword ptr [0042343Ch], eax
                                                                  mov eax, dword ptr [ebp+04h]
                                                                  mov dword ptr [00423440h], eax
                                                                  lea eax, dword ptr [ebp+08h]
                                                                  mov dword ptr [0042344Ch], eax
                                                                  mov eax, dword ptr [ebp-00000320h]
                                                                  mov dword ptr [00423388h], 00010001h
                                                                  mov eax, dword ptr [00423440h]
                                                                  mov dword ptr [0042333Ch], eax
                                                                  mov dword ptr [00423330h], C0000409h
                                                                  mov dword ptr [00423334h], 00000001h
                                                                  mov eax, dword ptr [00421004h]
                                                                  mov dword ptr [ebp-00000328h], eax
                                                                  mov eax, dword ptr [00421008h]
                                                                  mov dword ptr [ebp-00000324h], eax
                                                                  call dword ptr [000000B8h]
                                                                  Programming Language:
                                                                  • [C++] VS2008 build 21022
                                                                  • [ASM] VS2008 build 21022
                                                                  • [ C ] VS2008 build 21022
                                                                  • [IMP] VS2005 build 50727
                                                                  • [RES] VS2008 build 21022
                                                                  • [LNK] VS2008 build 21022
                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1fa8c0x50.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f3e0000xa0d0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0xa0000x184.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x8fb60x90000bb4946e311cf63612d01d4dab8ce4c2False0.6155056423611112data6.618272611582304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0xa0000x163660x1640012433fd029d89a277d450fadb6e67a82False0.6130508251404494data5.989109722273131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x210000x1f1c65c0x2e00c31f4d0bc90e337b0d41d4bf4e843872unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0x1f3e0000xa0d00xa20047c76288961dbb73abaabec0d427482bFalse0.35693962191358025data4.2869273185081225IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_CURSOR0x1f44cb80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                                                  RT_CURSOR0x1f44de80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                                                  RT_ICON0x1f3e4600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.4205756929637527
                                                                  RT_ICON0x1f3f3080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.5361010830324909
                                                                  RT_ICON0x1f3fbb00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.5558755760368663
                                                                  RT_ICON0x1f402780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.6033236994219653
                                                                  RT_ICON0x1f407e00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.3771784232365145
                                                                  RT_ICON0x1f42d880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.4047842401500938
                                                                  RT_ICON0x1f43e300x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.4233606557377049
                                                                  RT_ICON0x1f447b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.44148936170212766
                                                                  RT_DIALOG0x1f475a00x98data0.7631578947368421
                                                                  RT_STRING0x1f476380xc0data0.546875
                                                                  RT_STRING0x1f476f80x446data0.4515539305301645
                                                                  RT_STRING0x1f47b400x4d8data0.4435483870967742
                                                                  RT_STRING0x1f480180xb6data0.5989010989010989
                                                                  RT_ACCELERATOR0x1f44c980x20data1.09375
                                                                  RT_GROUP_CURSOR0x1f473900x22data1.088235294117647
                                                                  RT_GROUP_ICON0x1f44c200x76dataTurkishTurkey0.6610169491525424
                                                                  RT_VERSION0x1f473b80x1e4data0.5723140495867769
                                                                  DLLImport
                                                                  KERNEL32.dllGetNumaProcessorNode, CommConfigDialogA, SetErrorMode, InterlockedDecrement, ZombifyActCtx, SetConsoleScreenBufferSize, GetModuleHandleW, GetTickCount, GetProcessHeap, GetConsoleAliasesA, EnumTimeFormatsW, LoadLibraryW, Sleep, WriteConsoleOutputA, FindNextVolumeW, WriteConsoleW, CompareStringW, GetConsoleAliasesLengthW, VirtualUnlock, RaiseException, GetShortPathNameA, GetConsoleAliasesW, SetLastError, GetProcAddress, VerLanguageNameW, BuildCommDCBW, LoadLibraryA, FreeEnvironmentStringsW, PurgeComm, GetCurrentDirectoryA, DeleteCriticalSection, SetCalendarInfoA, GlobalReAlloc, SetConsoleTitleA, SetLocaleInfoA, HeapAlloc, GetLastError, HeapReAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, CreateFileA, CloseHandle, FlushFileBuffers
                                                                  USER32.dllUpdateWindow
                                                                  ADVAPI32.dllEnumDependentServicesW
                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  TurkishTurkey
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 21, 2024 07:53:05.362904072 CEST4973125192.168.2.4104.47.53.36
                                                                  May 21, 2024 07:53:06.370826006 CEST4973125192.168.2.4104.47.53.36
                                                                  May 21, 2024 07:53:08.206808090 CEST49732443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:53:08.206888914 CEST44349732141.8.199.94192.168.2.4
                                                                  May 21, 2024 07:53:08.206983089 CEST49732443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:53:08.371090889 CEST4973125192.168.2.4104.47.53.36
                                                                  May 21, 2024 07:53:12.370805025 CEST4973125192.168.2.4104.47.53.36
                                                                  May 21, 2024 07:53:20.370709896 CEST4973125192.168.2.4104.47.53.36
                                                                  May 21, 2024 07:53:25.388067961 CEST4973925192.168.2.467.195.228.94
                                                                  May 21, 2024 07:53:26.402256012 CEST4973925192.168.2.467.195.228.94
                                                                  May 21, 2024 07:53:28.417609930 CEST4973925192.168.2.467.195.228.94
                                                                  May 21, 2024 07:53:32.433341026 CEST4973925192.168.2.467.195.228.94
                                                                  May 21, 2024 07:53:40.448976994 CEST4973925192.168.2.467.195.228.94
                                                                  May 21, 2024 07:53:45.403716087 CEST4974025192.168.2.4142.251.168.26
                                                                  May 21, 2024 07:53:46.401987076 CEST4974025192.168.2.4142.251.168.26
                                                                  May 21, 2024 07:53:48.216392994 CEST49732443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:53:48.216485977 CEST44349732141.8.199.94192.168.2.4
                                                                  May 21, 2024 07:53:48.216553926 CEST49732443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:53:48.324961901 CEST49741443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:53:48.325057030 CEST44349741141.8.199.94192.168.2.4
                                                                  May 21, 2024 07:53:48.325145960 CEST49741443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:53:48.401992083 CEST4974025192.168.2.4142.251.168.26
                                                                  May 21, 2024 07:53:52.402172089 CEST4974025192.168.2.4142.251.168.26
                                                                  May 21, 2024 07:54:00.402035952 CEST4974025192.168.2.4142.251.168.26
                                                                  May 21, 2024 07:54:05.418873072 CEST4974325192.168.2.4217.69.139.150
                                                                  May 21, 2024 07:54:06.433290005 CEST4974325192.168.2.4217.69.139.150
                                                                  May 21, 2024 07:54:08.449049950 CEST4974325192.168.2.4217.69.139.150
                                                                  May 21, 2024 07:54:12.448959112 CEST4974325192.168.2.4217.69.139.150
                                                                  May 21, 2024 07:54:20.449269056 CEST4974325192.168.2.4217.69.139.150
                                                                  May 21, 2024 07:54:28.339730978 CEST49741443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:54:28.339839935 CEST44349741141.8.199.94192.168.2.4
                                                                  May 21, 2024 07:54:28.339911938 CEST49741443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:54:28.449723959 CEST49744443192.168.2.4141.8.199.94
                                                                  May 21, 2024 07:54:28.449752092 CEST44349744141.8.199.94192.168.2.4
                                                                  May 21, 2024 07:54:28.449837923 CEST49744443192.168.2.4141.8.199.94
                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 21, 2024 07:53:05.114269972 CEST5654053192.168.2.41.1.1.1
                                                                  May 21, 2024 07:53:05.361886024 CEST53565401.1.1.1192.168.2.4
                                                                  May 21, 2024 07:53:08.043701887 CEST5989453192.168.2.41.1.1.1
                                                                  May 21, 2024 07:53:08.206214905 CEST53598941.1.1.1192.168.2.4
                                                                  May 21, 2024 07:53:25.371529102 CEST6034153192.168.2.41.1.1.1
                                                                  May 21, 2024 07:53:25.378815889 CEST53603411.1.1.1192.168.2.4
                                                                  May 21, 2024 07:53:25.379499912 CEST6259453192.168.2.41.1.1.1
                                                                  May 21, 2024 07:53:25.387541056 CEST53625941.1.1.1192.168.2.4
                                                                  May 21, 2024 07:53:45.386902094 CEST5301953192.168.2.41.1.1.1
                                                                  May 21, 2024 07:53:45.394581079 CEST53530191.1.1.1192.168.2.4
                                                                  May 21, 2024 07:53:45.395425081 CEST5202153192.168.2.41.1.1.1
                                                                  May 21, 2024 07:53:45.403125048 CEST53520211.1.1.1192.168.2.4
                                                                  May 21, 2024 07:54:05.402614117 CEST6083153192.168.2.41.1.1.1
                                                                  May 21, 2024 07:54:05.409778118 CEST53608311.1.1.1192.168.2.4
                                                                  May 21, 2024 07:54:05.410526991 CEST5579853192.168.2.41.1.1.1
                                                                  May 21, 2024 07:54:05.418091059 CEST53557981.1.1.1192.168.2.4
                                                                  May 21, 2024 07:55:06.534887075 CEST5109453192.168.2.41.1.1.1
                                                                  May 21, 2024 07:55:06.612116098 CEST53510941.1.1.1192.168.2.4
                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  May 21, 2024 07:53:05.114269972 CEST192.168.2.41.1.1.10xbf0eStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:08.043701887 CEST192.168.2.41.1.1.10x893eStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.371529102 CEST192.168.2.41.1.1.10x133eStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.379499912 CEST192.168.2.41.1.1.10x3f98Standard query (0)mta7.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.386902094 CEST192.168.2.41.1.1.10x93adStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.395425081 CEST192.168.2.41.1.1.10x1877Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:54:05.402614117 CEST192.168.2.41.1.1.10xe9c8Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:54:05.410526991 CEST192.168.2.41.1.1.10x8fa5Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:55:06.534887075 CEST192.168.2.41.1.1.10x7979Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  May 21, 2024 07:53:05.361886024 CEST1.1.1.1192.168.2.40xbf0eNo error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:05.361886024 CEST1.1.1.1192.168.2.40xbf0eNo error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:08.206214905 CEST1.1.1.1192.168.2.40x893eNo error (0)vanaheim.cn141.8.199.94A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.378815889 CEST1.1.1.1192.168.2.40x133eNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.378815889 CEST1.1.1.1192.168.2.40x133eNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.378815889 CEST1.1.1.1192.168.2.40x133eNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:25.387541056 CEST1.1.1.1192.168.2.40x3f98No error (0)mta7.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.394581079 CEST1.1.1.1192.168.2.40x93adNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.403125048 CEST1.1.1.1192.168.2.40x1877No error (0)smtp.google.com142.251.168.26A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.403125048 CEST1.1.1.1192.168.2.40x1877No error (0)smtp.google.com142.250.110.26A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.403125048 CEST1.1.1.1192.168.2.40x1877No error (0)smtp.google.com142.251.168.27A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.403125048 CEST1.1.1.1192.168.2.40x1877No error (0)smtp.google.com142.250.110.27A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:53:45.403125048 CEST1.1.1.1192.168.2.40x1877No error (0)smtp.google.com142.251.5.27A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:54:05.409778118 CEST1.1.1.1192.168.2.40xe9c8No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                  May 21, 2024 07:54:05.418091059 CEST1.1.1.1192.168.2.40x8fa5No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:54:05.418091059 CEST1.1.1.1192.168.2.40x8fa5No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:55:06.612116098 CEST1.1.1.1192.168.2.40x7979No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                  May 21, 2024 07:55:06.612116098 CEST1.1.1.1192.168.2.40x7979No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false

                                                                  Click to jump to process

                                                                  Click to jump to process

                                                                  Click to dive into process behavior distribution

                                                                  Click to jump to process

                                                                  Target ID:0
                                                                  Start time:01:52:59
                                                                  Start date:21/05/2024
                                                                  Path:C:\Users\user\Desktop\dIg0MWRViP.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\dIg0MWRViP.exe"
                                                                  Imagebase:0x400000
                                                                  File size:182'272 bytes
                                                                  MD5 hash:A6C7DD82EACE106350D20D93956360E6
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1683260511.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:1
                                                                  Start time:01:53:00
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\soirllif\
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:2
                                                                  Start time:01:53:00
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:3
                                                                  Start time:01:53:01
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\rdliobhf.exe" C:\Windows\SysWOW64\soirllif\
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:4
                                                                  Start time:01:53:01
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:5
                                                                  Start time:01:53:01
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\sc.exe" create soirllif binPath= "C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d\"C:\Users\user\Desktop\dIg0MWRViP.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                  Imagebase:0xee0000
                                                                  File size:61'440 bytes
                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  Target ID:6
                                                                  Start time:01:53:01
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:7
                                                                  Start time:01:53:02
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\sc.exe" description soirllif "wifi internet conection"
                                                                  Imagebase:0xee0000
                                                                  File size:61'440 bytes
                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  Target ID:8
                                                                  Start time:01:53:02
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:9
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\sc.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\sc.exe" start soirllif
                                                                  Imagebase:0xee0000
                                                                  File size:61'440 bytes
                                                                  MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  Target ID:10
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:11
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\soirllif\rdliobhf.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\soirllif\rdliobhf.exe /d"C:\Users\user\Desktop\dIg0MWRViP.exe"
                                                                  Imagebase:0x400000
                                                                  File size:12'872'704 bytes
                                                                  MD5 hash:0E6E38A8AE20C869A188C52EA93ADF1C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1728761636.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1727919607.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1719474471.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Target ID:12
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:svchost.exe
                                                                  Imagebase:0x420000
                                                                  File size:46'504 bytes
                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  Target ID:13
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                  Imagebase:0x7ff6eef20000
                                                                  File size:55'320 bytes
                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:14
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 7372 -ip 7372
                                                                  Imagebase:0xab0000
                                                                  File size:483'680 bytes
                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Target ID:15
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                  Imagebase:0x1560000
                                                                  File size:82'432 bytes
                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Target ID:16
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Target ID:17
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5436 -ip 5436
                                                                  Imagebase:0xab0000
                                                                  File size:483'680 bytes
                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Target ID:18
                                                                  Start time:01:53:03
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7372 -s 544
                                                                  Imagebase:0xab0000
                                                                  File size:483'680 bytes
                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Target ID:19
                                                                  Start time:01:53:04
                                                                  Start date:21/05/2024
                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5436 -s 1032
                                                                  Imagebase:0xab0000
                                                                  File size:483'680 bytes
                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:4%
                                                                    Dynamic/Decrypted Code Coverage:2.1%
                                                                    Signature Coverage:25.6%
                                                                    Total number of Nodes:1549
                                                                    Total number of Limit Nodes:16
                                                                    execution_graph 14765 237de26 14766 237de35 14765->14766 14769 237e5c6 14766->14769 14774 237e5e1 14769->14774 14770 237e5ea CreateToolhelp32Snapshot 14771 237e606 Module32First 14770->14771 14770->14774 14772 237e615 14771->14772 14775 237de3e 14771->14775 14776 237e285 14772->14776 14774->14770 14774->14771 14777 237e2b0 14776->14777 14778 237e2c1 VirtualAlloc 14777->14778 14779 237e2f9 14777->14779 14778->14779 14779->14779 14808 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14926 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14808->14926 14810 409a95 14811 409aa3 GetModuleHandleA GetModuleFileNameA 14810->14811 14816 40a3c7 14810->14816 14825 409ac4 14811->14825 14812 40a41c CreateThread WSAStartup 15095 40e52e 14812->15095 15973 40405e CreateEventA 14812->15973 14814 409afd GetCommandLineA 14823 409b22 14814->14823 14815 40a406 DeleteFileA 14815->14816 14817 40a40d 14815->14817 14816->14812 14816->14815 14816->14817 14820 40a3ed GetLastError 14816->14820 14817->14812 14818 40a445 15114 40eaaf 14818->15114 14820->14817 14822 40a3f8 Sleep 14820->14822 14821 40a44d 15118 401d96 14821->15118 14822->14815 14828 409b47 14823->14828 14829 409c0c 14823->14829 14825->14814 14826 40a457 15166 4080c9 14826->15166 14836 409b96 lstrlenA 14828->14836 14841 409b58 14828->14841 14927 4096aa 14829->14927 14836->14841 14837 40a167 GetModuleHandleA GetModuleFileNameA 14842 409c05 ExitProcess 14837->14842 14843 40a189 14837->14843 14838 40a1d2 14845 40a1e3 GetCommandLineA 14838->14845 14841->14842 14850 40675c 21 API calls 14841->14850 14843->14842 14852 40a1b2 GetDriveTypeA 14843->14852 14844 409c39 14844->14837 14933 404280 CreateEventA 14844->14933 14869 40a205 14845->14869 14853 409be3 14850->14853 14852->14842 14854 40a1c5 14852->14854 14853->14842 15032 406a60 CreateFileA 14853->15032 15076 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14854->15076 14860 40a491 14861 40a49f GetTickCount 14860->14861 14863 40a4be Sleep 14860->14863 14868 40a4b7 GetTickCount 14860->14868 15212 40c913 14860->15212 14861->14860 14861->14863 14863->14860 14865 409ca0 GetTempPathA 14866 409e3e 14865->14866 14867 409cba 14865->14867 14874 409e6b GetEnvironmentVariableA 14866->14874 14876 409e04 14866->14876 14988 4099d2 lstrcpyA 14867->14988 14868->14863 14875 40a285 lstrlenA 14869->14875 14883 40a239 14869->14883 14874->14876 14877 409e7d 14874->14877 14875->14883 15071 40ec2e 14876->15071 14878 4099d2 16 API calls 14877->14878 14880 409e9d 14878->14880 14880->14876 14885 409eb0 lstrcpyA lstrlenA 14880->14885 14881 409d5f 15051 406cc9 14881->15051 15084 406ec3 14883->15084 14884 40a3c2 15088 4098f2 14884->15088 14888 409ef4 14885->14888 14889 406dc2 6 API calls 14888->14889 14893 409f03 14888->14893 14889->14893 14890 40a39d StartServiceCtrlDispatcherA 14890->14884 14892 40a35f 14892->14884 14892->14892 14896 40a37b 14892->14896 14895 409f32 RegOpenKeyExA 14893->14895 14894 409cf6 14995 409326 14894->14995 14897 409f48 RegSetValueExA RegCloseKey 14895->14897 14900 409f70 14895->14900 14896->14890 14897->14900 14907 409f9d GetModuleHandleA GetModuleFileNameA 14900->14907 14901 409e0c DeleteFileA 14901->14866 14902 409dde GetFileAttributesExA 14902->14901 14904 409df7 14902->14904 14904->14876 14905 409dff 14904->14905 15061 4096ff 14905->15061 14908 409fc2 14907->14908 14909 40a093 14907->14909 14908->14909 14915 409ff1 GetDriveTypeA 14908->14915 14910 40a103 CreateProcessA 14909->14910 14911 40a0a4 wsprintfA 14909->14911 14912 40a13a 14910->14912 14913 40a12a DeleteFileA 14910->14913 15067 402544 14911->15067 14912->14876 14919 4096ff 3 API calls 14912->14919 14913->14912 14915->14909 14917 40a00d 14915->14917 14921 40a02d lstrcatA 14917->14921 14919->14876 14922 40a046 14921->14922 14923 40a052 lstrcatA 14922->14923 14924 40a064 lstrcatA 14922->14924 14923->14924 14924->14909 14925 40a081 lstrcatA 14924->14925 14925->14909 14926->14810 14928 4096b9 14927->14928 15315 4073ff 14928->15315 14930 4096e2 14931 4096f7 14930->14931 15335 40704c 14930->15335 14931->14838 14931->14844 14934 4042a5 14933->14934 14935 40429d 14933->14935 15360 403ecd 14934->15360 14935->14837 14960 40675c 14935->14960 14937 4042b0 15364 404000 14937->15364 14940 4043c1 CloseHandle 14940->14935 14941 4042ce 15370 403f18 WriteFile 14941->15370 14946 4043ba CloseHandle 14946->14940 14947 404318 14948 403f18 4 API calls 14947->14948 14949 404331 14948->14949 14950 403f18 4 API calls 14949->14950 14951 40434a 14950->14951 15378 40ebcc GetProcessHeap RtlAllocateHeap 14951->15378 14954 403f18 4 API calls 14955 404389 14954->14955 14956 40ec2e codecvt 4 API calls 14955->14956 14957 40438f 14956->14957 14958 403f8c 4 API calls 14957->14958 14959 40439f CloseHandle CloseHandle 14958->14959 14959->14935 14961 406784 CreateFileA 14960->14961 14962 40677a SetFileAttributesA 14960->14962 14963 4067a4 CreateFileA 14961->14963 14964 4067b5 14961->14964 14962->14961 14963->14964 14965 4067c5 14964->14965 14966 4067ba SetFileAttributesA 14964->14966 14967 406977 14965->14967 14968 4067cf GetFileSize 14965->14968 14966->14965 14967->14837 14967->14865 14967->14866 14969 4067e5 14968->14969 14970 406965 14968->14970 14969->14970 14971 4067ed ReadFile 14969->14971 14972 40696e FindCloseChangeNotification 14970->14972 14971->14970 14973 406811 SetFilePointer 14971->14973 14972->14967 14973->14970 14974 40682a ReadFile 14973->14974 14974->14970 14975 406848 SetFilePointer 14974->14975 14975->14970 14976 406867 14975->14976 14977 4068d5 14976->14977 14978 406878 ReadFile 14976->14978 14977->14972 14980 40ebcc 4 API calls 14977->14980 14979 4068d0 14978->14979 14982 406891 14978->14982 14979->14977 14981 4068f8 14980->14981 14981->14970 14983 406900 SetFilePointer 14981->14983 14982->14978 14982->14979 14984 40695a 14983->14984 14985 40690d ReadFile 14983->14985 14987 40ec2e codecvt 4 API calls 14984->14987 14985->14984 14986 406922 14985->14986 14986->14972 14987->14970 14989 4099eb 14988->14989 14990 409a2f lstrcatA 14989->14990 14991 40ee2a 14990->14991 14992 409a4b lstrcatA 14991->14992 14993 406a60 13 API calls 14992->14993 14994 409a60 14993->14994 14994->14866 14994->14894 15045 406dc2 14994->15045 15384 401910 14995->15384 14998 40934a GetModuleHandleA GetModuleFileNameA 15000 40937f 14998->15000 15001 4093a4 15000->15001 15002 4093d9 15000->15002 15003 4093c3 wsprintfA 15001->15003 15004 409401 wsprintfA 15002->15004 15005 409415 15003->15005 15004->15005 15006 4094a0 15005->15006 15009 406cc9 5 API calls 15005->15009 15386 406edd 15006->15386 15008 4094ac 15010 40962f 15008->15010 15011 4094e8 RegOpenKeyExA 15008->15011 15012 409439 15009->15012 15017 409646 15010->15017 15414 401820 15010->15414 15014 409502 15011->15014 15015 4094fb 15011->15015 15412 40ef1e lstrlenA 15012->15412 15018 40951f RegQueryValueExA 15014->15018 15015->15010 15020 40958a 15015->15020 15026 4095d6 15017->15026 15407 4091eb 15017->15407 15021 409530 15018->15021 15022 409539 15018->15022 15020->15017 15024 409593 15020->15024 15025 40956e RegCloseKey 15021->15025 15027 409556 RegQueryValueExA 15022->15027 15023 409462 15028 40947e wsprintfA 15023->15028 15024->15026 15394 40f0e4 15024->15394 15025->15015 15026->14901 15026->14902 15027->15021 15027->15025 15028->15006 15030 4095bb 15030->15026 15401 4018e0 15030->15401 15033 406b8c GetLastError 15032->15033 15034 406a8f GetDiskFreeSpaceA 15032->15034 15043 406b86 15033->15043 15035 406ac5 15034->15035 15044 406ad7 15034->15044 15462 40eb0e 15035->15462 15039 406b56 FindCloseChangeNotification 15042 406b65 GetLastError CloseHandle 15039->15042 15039->15043 15040 406b36 GetLastError CloseHandle 15041 406b7f DeleteFileA 15040->15041 15041->15043 15042->15041 15043->14842 15456 406987 15044->15456 15046 406dd7 15045->15046 15050 406e24 15045->15050 15047 406cc9 5 API calls 15046->15047 15048 406ddc 15047->15048 15048->15048 15049 406e02 GetVolumeInformationA 15048->15049 15048->15050 15049->15050 15050->14881 15052 406cdc GetModuleHandleA GetProcAddress 15051->15052 15053 406dbe lstrcpyA lstrcatA lstrcatA 15051->15053 15054 406d12 GetSystemDirectoryA 15052->15054 15055 406cfd 15052->15055 15053->14894 15056 406d27 GetWindowsDirectoryA 15054->15056 15057 406d1e 15054->15057 15055->15054 15059 406d8b 15055->15059 15058 406d42 15056->15058 15057->15056 15057->15059 15060 40ef1e lstrlenA 15058->15060 15059->15053 15060->15059 15062 402544 15061->15062 15063 40972d RegOpenKeyExA 15062->15063 15064 409740 15063->15064 15065 409765 15063->15065 15066 40974f RegDeleteValueA RegCloseKey 15064->15066 15065->14876 15066->15065 15068 402554 lstrcatA 15067->15068 15069 40ee2a 15068->15069 15070 40a0ec lstrcatA 15069->15070 15070->14910 15072 40ec37 15071->15072 15073 40a15d 15071->15073 15470 40eba0 15072->15470 15073->14837 15073->14842 15077 402544 15076->15077 15078 40919e wsprintfA 15077->15078 15079 4091bb 15078->15079 15473 409064 GetTempPathA 15079->15473 15082 4091d5 ShellExecuteA 15083 4091e7 15082->15083 15083->14842 15085 406ed5 15084->15085 15086 406ecc 15084->15086 15085->14892 15087 406e36 2 API calls 15086->15087 15087->15085 15089 4098f6 15088->15089 15090 404280 30 API calls 15089->15090 15091 409904 Sleep 15089->15091 15092 409915 15089->15092 15090->15089 15091->15089 15091->15092 15094 409947 15092->15094 15480 40977c 15092->15480 15094->14816 15502 40dd05 GetTickCount 15095->15502 15097 40e538 15509 40dbcf 15097->15509 15099 40e544 15100 40e555 GetFileSize 15099->15100 15104 40e5b8 15099->15104 15101 40e5b1 CloseHandle 15100->15101 15102 40e566 15100->15102 15101->15104 15519 40db2e 15102->15519 15528 40e3ca RegOpenKeyExA 15104->15528 15106 40e576 ReadFile 15106->15101 15108 40e58d 15106->15108 15523 40e332 15108->15523 15109 40e5f2 15112 40e629 15109->15112 15113 40e3ca 19 API calls 15109->15113 15112->14818 15113->15112 15115 40eabe 15114->15115 15117 40eaba 15114->15117 15116 40dd05 6 API calls 15115->15116 15115->15117 15116->15117 15117->14821 15119 40ee2a 15118->15119 15120 401db4 GetVersionExA 15119->15120 15121 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15120->15121 15123 401e24 15121->15123 15124 401e16 GetCurrentProcess 15121->15124 15581 40e819 15123->15581 15124->15123 15126 401e3d 15127 40e819 11 API calls 15126->15127 15128 401e4e 15127->15128 15129 401e77 15128->15129 15588 40df70 15128->15588 15597 40ea84 15129->15597 15132 401e6c 15134 40df70 12 API calls 15132->15134 15134->15129 15135 40e819 11 API calls 15136 401e93 15135->15136 15601 40199c inet_addr LoadLibraryA 15136->15601 15139 40e819 11 API calls 15140 401eb9 15139->15140 15141 40f04e 4 API calls 15140->15141 15149 401ed8 15140->15149 15143 401ec9 15141->15143 15142 40e819 11 API calls 15144 401eee 15142->15144 15145 40ea84 30 API calls 15143->15145 15146 401f0a 15144->15146 15614 401b71 15144->15614 15145->15149 15148 40e819 11 API calls 15146->15148 15151 401f23 15148->15151 15149->15142 15150 401efd 15152 40ea84 30 API calls 15150->15152 15153 401f3f 15151->15153 15618 401bdf 15151->15618 15152->15146 15155 40e819 11 API calls 15153->15155 15157 401f5e 15155->15157 15159 401f77 15157->15159 15160 40ea84 30 API calls 15157->15160 15158 40ea84 30 API calls 15158->15153 15625 4030b5 15159->15625 15160->15159 15163 406ec3 2 API calls 15165 401f8e GetTickCount 15163->15165 15165->14826 15167 406ec3 2 API calls 15166->15167 15168 4080eb 15167->15168 15169 4080f9 15168->15169 15170 4080ef 15168->15170 15172 40704c 16 API calls 15169->15172 15673 407ee6 15170->15673 15174 408110 15172->15174 15173 408269 CreateThread 15191 405e6c 15173->15191 16002 40877e 15173->16002 15176 408156 RegOpenKeyExA 15174->15176 15177 4080f4 15174->15177 15175 40675c 21 API calls 15181 408244 15175->15181 15176->15177 15178 40816d RegQueryValueExA 15176->15178 15177->15173 15177->15175 15179 4081f7 15178->15179 15180 40818d 15178->15180 15182 40820d RegCloseKey 15179->15182 15184 40ec2e codecvt 4 API calls 15179->15184 15180->15179 15185 40ebcc 4 API calls 15180->15185 15181->15173 15183 40ec2e codecvt 4 API calls 15181->15183 15182->15177 15183->15173 15190 4081dd 15184->15190 15186 4081a0 15185->15186 15186->15182 15187 4081aa RegQueryValueExA 15186->15187 15187->15179 15188 4081c4 15187->15188 15189 40ebcc 4 API calls 15188->15189 15189->15190 15190->15182 15741 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15191->15741 15193 405e71 15742 40e654 15193->15742 15195 405ec1 15196 403132 15195->15196 15197 40df70 12 API calls 15196->15197 15198 40313b 15197->15198 15199 40c125 15198->15199 15753 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15199->15753 15201 40c12d 15202 40e654 13 API calls 15201->15202 15203 40c2bd 15202->15203 15204 40e654 13 API calls 15203->15204 15205 40c2c9 15204->15205 15206 40e654 13 API calls 15205->15206 15207 40a47a 15206->15207 15208 408db1 15207->15208 15209 408dbc 15208->15209 15210 40e654 13 API calls 15209->15210 15211 408dec Sleep 15210->15211 15211->14860 15213 40c92f 15212->15213 15214 40c93c 15213->15214 15754 40c517 15213->15754 15216 40ca2b 15214->15216 15217 40e819 11 API calls 15214->15217 15216->14860 15218 40c96a 15217->15218 15219 40e819 11 API calls 15218->15219 15220 40c97d 15219->15220 15221 40e819 11 API calls 15220->15221 15222 40c990 15221->15222 15223 40c9aa 15222->15223 15224 40ebcc 4 API calls 15222->15224 15223->15216 15771 402684 15223->15771 15224->15223 15229 40ca26 15778 40c8aa 15229->15778 15232 40ca44 15233 40ca4b closesocket 15232->15233 15234 40ca83 15232->15234 15233->15229 15235 40ea84 30 API calls 15234->15235 15236 40caac 15235->15236 15237 40f04e 4 API calls 15236->15237 15238 40cab2 15237->15238 15239 40ea84 30 API calls 15238->15239 15240 40caca 15239->15240 15241 40ea84 30 API calls 15240->15241 15242 40cad9 15241->15242 15786 40c65c 15242->15786 15245 40cb60 closesocket 15245->15216 15247 40dad2 closesocket 15248 40e318 23 API calls 15247->15248 15248->15216 15249 40df4c 20 API calls 15271 40cb70 15249->15271 15254 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15254->15271 15255 40e654 13 API calls 15255->15271 15261 40d569 closesocket Sleep 15833 40e318 15261->15833 15262 40d815 wsprintfA 15262->15271 15263 40cc1c GetTempPathA 15263->15271 15264 40ea84 30 API calls 15264->15271 15266 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15266->15271 15267 407ead 6 API calls 15267->15271 15268 40c517 23 API calls 15268->15271 15269 40d582 ExitProcess 15270 40e8a1 30 API calls 15270->15271 15271->15247 15271->15249 15271->15254 15271->15255 15271->15261 15271->15262 15271->15263 15271->15264 15271->15266 15271->15267 15271->15268 15271->15270 15272 40cfe3 GetSystemDirectoryA 15271->15272 15273 40675c 21 API calls 15271->15273 15274 40d027 GetSystemDirectoryA 15271->15274 15275 40cfad GetEnvironmentVariableA 15271->15275 15276 40d105 lstrcatA 15271->15276 15277 40ef1e lstrlenA 15271->15277 15278 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 15271->15278 15279 40cc9f CreateFileA 15271->15279 15281 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15271->15281 15282 40d15b CreateFileA 15271->15282 15287 40d149 SetFileAttributesA 15271->15287 15288 40d36e GetEnvironmentVariableA 15271->15288 15289 40d1bf SetFileAttributesA 15271->15289 15291 40d22d GetEnvironmentVariableA 15271->15291 15293 40d3af lstrcatA 15271->15293 15295 407fcf 64 API calls 15271->15295 15296 40d3f2 CreateFileA 15271->15296 15302 40d3e0 SetFileAttributesA 15271->15302 15303 40d26e lstrcatA 15271->15303 15305 40d4b1 CreateProcessA 15271->15305 15306 40d2b1 CreateFileA 15271->15306 15308 40d452 SetFileAttributesA 15271->15308 15310 407ee6 64 API calls 15271->15310 15311 40d29f SetFileAttributesA 15271->15311 15314 40d31d SetFileAttributesA 15271->15314 15794 40c75d 15271->15794 15806 407e2f 15271->15806 15828 407ead 15271->15828 15838 4031d0 15271->15838 15855 403c09 15271->15855 15865 403a00 15271->15865 15869 40e7b4 15271->15869 15872 40c06c 15271->15872 15878 406f5f GetUserNameA 15271->15878 15889 40e854 15271->15889 15899 407dd6 15271->15899 15272->15271 15273->15271 15274->15271 15275->15271 15276->15271 15277->15271 15278->15271 15279->15271 15280 40ccc6 WriteFile 15279->15280 15283 40cdcc CloseHandle 15280->15283 15284 40cced CloseHandle 15280->15284 15281->15271 15282->15271 15285 40d182 WriteFile CloseHandle 15282->15285 15283->15271 15290 40cd2f 15284->15290 15285->15271 15286 40cd16 wsprintfA 15286->15290 15287->15282 15288->15271 15289->15271 15290->15286 15815 407fcf 15290->15815 15291->15271 15293->15271 15293->15296 15295->15271 15296->15271 15297 40d415 WriteFile CloseHandle 15296->15297 15297->15271 15298 40cd81 WaitForSingleObject CloseHandle CloseHandle 15300 40f04e 4 API calls 15298->15300 15299 40cda5 15301 407ee6 64 API calls 15299->15301 15300->15299 15304 40cdbd DeleteFileA 15301->15304 15302->15296 15303->15271 15303->15306 15304->15271 15305->15271 15307 40d4e8 CloseHandle CloseHandle 15305->15307 15306->15271 15309 40d2d8 WriteFile CloseHandle 15306->15309 15307->15271 15308->15271 15309->15271 15310->15271 15311->15306 15314->15271 15316 40741b 15315->15316 15317 406dc2 6 API calls 15316->15317 15318 40743f 15317->15318 15319 407469 RegOpenKeyExA 15318->15319 15320 4077f9 15319->15320 15330 407487 ___ascii_stricmp 15319->15330 15320->14930 15321 407703 RegEnumKeyA 15322 407714 RegCloseKey 15321->15322 15321->15330 15322->15320 15323 4074d2 RegOpenKeyExA 15323->15330 15324 40772c 15326 407742 RegCloseKey 15324->15326 15327 40774b 15324->15327 15325 407521 RegQueryValueExA 15325->15330 15326->15327 15329 4077ec RegCloseKey 15327->15329 15328 4076e4 RegCloseKey 15328->15330 15329->15320 15330->15321 15330->15323 15330->15324 15330->15325 15330->15328 15332 40f1a5 lstrlenA 15330->15332 15333 40777e GetFileAttributesExA 15330->15333 15334 407769 15330->15334 15331 4077e3 RegCloseKey 15331->15329 15332->15330 15333->15334 15334->15331 15336 407073 15335->15336 15337 4070b9 RegOpenKeyExA 15336->15337 15338 4070d0 15337->15338 15352 4071b8 15337->15352 15339 406dc2 6 API calls 15338->15339 15342 4070d5 15339->15342 15340 40719b RegEnumValueA 15341 4071af RegCloseKey 15340->15341 15340->15342 15341->15352 15342->15340 15344 4071d0 15342->15344 15358 40f1a5 lstrlenA 15342->15358 15345 407205 RegCloseKey 15344->15345 15346 407227 15344->15346 15345->15352 15347 4072b8 ___ascii_stricmp 15346->15347 15348 40728e RegCloseKey 15346->15348 15349 4072cd RegCloseKey 15347->15349 15350 4072dd 15347->15350 15348->15352 15349->15352 15351 407311 RegCloseKey 15350->15351 15354 407335 15350->15354 15351->15352 15352->14931 15353 4073d5 RegCloseKey 15355 4073e4 15353->15355 15354->15353 15356 40737e GetFileAttributesExA 15354->15356 15357 407397 15354->15357 15356->15357 15357->15353 15359 40f1c3 15358->15359 15359->15342 15361 403edc 15360->15361 15363 403ee2 15360->15363 15362 406dc2 6 API calls 15361->15362 15362->15363 15363->14937 15365 40400b CreateFileA 15364->15365 15366 40402c GetLastError 15365->15366 15367 404052 15365->15367 15366->15367 15368 404037 15366->15368 15367->14935 15367->14940 15367->14941 15368->15367 15369 404041 Sleep 15368->15369 15369->15365 15369->15367 15371 403f7c 15370->15371 15372 403f4e GetLastError 15370->15372 15374 403f8c ReadFile 15371->15374 15372->15371 15373 403f5b WaitForSingleObject GetOverlappedResult 15372->15373 15373->15371 15375 403ff0 15374->15375 15376 403fc2 GetLastError 15374->15376 15375->14946 15375->14947 15376->15375 15377 403fcf WaitForSingleObject GetOverlappedResult 15376->15377 15377->15375 15381 40eb74 15378->15381 15382 40eb7b GetProcessHeap HeapSize 15381->15382 15383 404350 15381->15383 15382->15383 15383->14954 15385 401924 GetVersionExA 15384->15385 15385->14998 15387 406f55 15386->15387 15388 406eef AllocateAndInitializeSid 15386->15388 15387->15008 15389 406f44 15388->15389 15390 406f1c CheckTokenMembership 15388->15390 15389->15387 15420 406e36 GetUserNameW 15389->15420 15391 406f3b FreeSid 15390->15391 15392 406f2e 15390->15392 15391->15389 15392->15391 15395 40f0f1 15394->15395 15396 40f0ed 15394->15396 15397 40f119 15395->15397 15398 40f0fa lstrlenA SysAllocStringByteLen 15395->15398 15396->15030 15399 40f11c MultiByteToWideChar 15397->15399 15398->15399 15400 40f117 15398->15400 15399->15400 15400->15030 15402 401820 17 API calls 15401->15402 15403 4018f2 15402->15403 15404 4018f9 15403->15404 15423 401280 15403->15423 15404->15026 15406 401908 15406->15026 15408 40920e 15407->15408 15411 409308 15407->15411 15409 4092f1 Sleep 15408->15409 15410 4092bf ShellExecuteA 15408->15410 15408->15411 15409->15408 15410->15408 15410->15411 15411->15026 15413 40ef32 15412->15413 15413->15023 15435 401000 15414->15435 15416 401839 15417 401851 GetCurrentProcess 15416->15417 15418 40183d 15416->15418 15419 401864 15417->15419 15418->15017 15419->15017 15421 406e5f LookupAccountNameW 15420->15421 15422 406e97 15420->15422 15421->15422 15422->15387 15424 4012e1 15423->15424 15425 4016f9 GetLastError 15424->15425 15432 4013a8 15424->15432 15426 401699 15425->15426 15426->15406 15427 401570 lstrlenW 15427->15432 15428 4015be GetStartupInfoW 15428->15432 15429 4015ff CreateProcessWithLogonW 15430 4016bf GetLastError 15429->15430 15431 40163f WaitForSingleObject 15429->15431 15430->15426 15431->15432 15433 401659 CloseHandle 15431->15433 15432->15426 15432->15427 15432->15428 15432->15429 15434 401668 CloseHandle 15432->15434 15433->15432 15434->15432 15436 40100d LoadLibraryA 15435->15436 15444 401023 15435->15444 15437 401021 15436->15437 15436->15444 15437->15416 15438 4010b5 GetProcAddress 15439 4010d1 GetProcAddress 15438->15439 15440 40127b 15438->15440 15439->15440 15441 4010f0 GetProcAddress 15439->15441 15440->15416 15441->15440 15442 401110 GetProcAddress 15441->15442 15442->15440 15443 401130 GetProcAddress 15442->15443 15443->15440 15445 40114f GetProcAddress 15443->15445 15444->15438 15455 4010ae 15444->15455 15445->15440 15446 40116f GetProcAddress 15445->15446 15446->15440 15447 40118f GetProcAddress 15446->15447 15447->15440 15448 4011ae GetProcAddress 15447->15448 15448->15440 15449 4011ce GetProcAddress 15448->15449 15449->15440 15450 4011ee GetProcAddress 15449->15450 15450->15440 15451 401209 GetProcAddress 15450->15451 15451->15440 15452 401225 GetProcAddress 15451->15452 15452->15440 15453 401241 GetProcAddress 15452->15453 15453->15440 15454 40125c GetProcAddress 15453->15454 15454->15440 15455->15416 15458 4069b9 WriteFile 15456->15458 15459 406a3c 15458->15459 15461 4069ff 15458->15461 15459->15039 15459->15040 15460 406a10 WriteFile 15460->15459 15460->15461 15461->15459 15461->15460 15463 40eb17 15462->15463 15464 40eb21 15462->15464 15466 40eae4 15463->15466 15464->15044 15467 40eb02 GetProcAddress 15466->15467 15468 40eaed LoadLibraryA 15466->15468 15467->15464 15468->15467 15469 40eb01 15468->15469 15469->15464 15471 40eba7 GetProcessHeap HeapSize 15470->15471 15472 40ebbf GetProcessHeap RtlFreeHeap 15470->15472 15471->15472 15472->15073 15474 40908d 15473->15474 15475 4090e2 wsprintfA 15474->15475 15476 40ee2a 15475->15476 15477 4090fd CreateFileA 15476->15477 15478 40911a lstrlenA WriteFile CloseHandle 15477->15478 15479 40913f 15477->15479 15478->15479 15479->15082 15479->15083 15481 40ee2a 15480->15481 15482 409794 CreateProcessA 15481->15482 15483 4097c2 15482->15483 15484 4097bb 15482->15484 15485 4097d4 GetThreadContext 15483->15485 15484->15094 15486 409801 15485->15486 15487 4097f5 15485->15487 15494 40637c 15486->15494 15488 4097f6 TerminateProcess 15487->15488 15488->15484 15490 409816 15490->15488 15491 40981e WriteProcessMemory 15490->15491 15491->15487 15492 40983b SetThreadContext 15491->15492 15492->15487 15493 409858 ResumeThread 15492->15493 15493->15484 15495 406386 15494->15495 15496 40638a GetModuleHandleA VirtualAlloc 15494->15496 15495->15490 15497 4063f5 15496->15497 15498 4063b6 15496->15498 15497->15490 15499 4063be VirtualAllocEx 15498->15499 15499->15497 15500 4063d6 15499->15500 15501 4063df WriteProcessMemory 15500->15501 15501->15497 15503 40dd41 InterlockedExchange 15502->15503 15504 40dd20 GetCurrentThreadId 15503->15504 15505 40dd4a 15503->15505 15506 40dd53 GetCurrentThreadId 15504->15506 15507 40dd2e GetTickCount 15504->15507 15505->15506 15506->15097 15507->15505 15508 40dd39 Sleep 15507->15508 15508->15503 15510 40dbf0 15509->15510 15542 40db67 GetEnvironmentVariableA 15510->15542 15512 40dc19 15513 40dcda 15512->15513 15514 40db67 3 API calls 15512->15514 15513->15099 15515 40dc5c 15514->15515 15515->15513 15516 40db67 3 API calls 15515->15516 15517 40dc9b 15516->15517 15517->15513 15518 40db67 3 API calls 15517->15518 15518->15513 15520 40db55 15519->15520 15521 40db3a 15519->15521 15520->15101 15520->15106 15546 40ebed 15521->15546 15555 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15523->15555 15525 40e3be 15525->15101 15526 40e342 15526->15525 15558 40de24 15526->15558 15529 40e528 15528->15529 15530 40e3f4 15528->15530 15529->15109 15531 40e434 RegQueryValueExA 15530->15531 15532 40e458 15531->15532 15533 40e51d RegCloseKey 15531->15533 15534 40e46e RegQueryValueExA 15532->15534 15533->15529 15534->15532 15535 40e488 15534->15535 15535->15533 15536 40db2e 8 API calls 15535->15536 15537 40e499 15536->15537 15537->15533 15538 40e4b9 RegQueryValueExA 15537->15538 15539 40e4e8 15537->15539 15538->15537 15538->15539 15539->15533 15540 40e332 14 API calls 15539->15540 15541 40e513 15540->15541 15541->15533 15543 40db89 lstrcpyA CreateFileA 15542->15543 15544 40dbca 15542->15544 15543->15512 15544->15512 15547 40ec01 15546->15547 15548 40ebf6 15546->15548 15550 40eba0 codecvt 2 API calls 15547->15550 15549 40ebcc 4 API calls 15548->15549 15551 40ebfe 15549->15551 15552 40ec0a GetProcessHeap HeapReAlloc 15550->15552 15551->15520 15553 40eb74 2 API calls 15552->15553 15554 40ec28 15553->15554 15554->15520 15569 40eb41 15555->15569 15560 40de3a 15558->15560 15565 40de4e 15560->15565 15573 40dd84 15560->15573 15562 40ebed 8 API calls 15567 40def6 15562->15567 15563 40de9e 15563->15562 15563->15565 15564 40de76 15577 40ddcf 15564->15577 15565->15526 15567->15565 15568 40ddcf lstrcmpA 15567->15568 15568->15565 15570 40eb54 15569->15570 15571 40eb4a 15569->15571 15570->15526 15572 40eae4 2 API calls 15571->15572 15572->15570 15574 40ddc5 15573->15574 15575 40dd96 15573->15575 15574->15563 15574->15564 15575->15574 15576 40ddad lstrcmpiA 15575->15576 15576->15574 15576->15575 15578 40de20 15577->15578 15579 40dddd 15577->15579 15578->15565 15579->15578 15580 40ddfa lstrcmpA 15579->15580 15580->15579 15582 40dd05 6 API calls 15581->15582 15583 40e821 15582->15583 15584 40dd84 lstrcmpiA 15583->15584 15585 40e82c 15584->15585 15586 40e844 15585->15586 15629 402480 15585->15629 15586->15126 15589 40dd05 6 API calls 15588->15589 15590 40df7c 15589->15590 15591 40dd84 lstrcmpiA 15590->15591 15595 40df89 15591->15595 15592 40dfc4 15592->15132 15593 40ddcf lstrcmpA 15593->15595 15594 40ec2e codecvt 4 API calls 15594->15595 15595->15592 15595->15593 15595->15594 15596 40dd84 lstrcmpiA 15595->15596 15596->15595 15598 40ea98 15597->15598 15638 40e8a1 15598->15638 15600 401e84 15600->15135 15602 4019d5 GetProcAddress GetProcAddress GetProcAddress 15601->15602 15605 4019ce 15601->15605 15603 401ab3 FreeLibrary 15602->15603 15604 401a04 15602->15604 15603->15605 15604->15603 15606 401a14 GetProcessHeap 15604->15606 15605->15139 15606->15605 15608 401a2e HeapAlloc 15606->15608 15608->15605 15609 401a42 15608->15609 15610 401a52 HeapReAlloc 15609->15610 15612 401a62 15609->15612 15610->15612 15611 401aa1 FreeLibrary 15611->15605 15612->15611 15613 401a96 HeapFree 15612->15613 15613->15611 15666 401ac3 LoadLibraryA 15614->15666 15617 401bcf 15617->15150 15619 401ac3 12 API calls 15618->15619 15620 401c09 15619->15620 15621 401c41 15620->15621 15622 401c0d GetComputerNameA 15620->15622 15621->15158 15623 401c45 GetVolumeInformationA 15622->15623 15624 401c1f 15622->15624 15623->15621 15624->15621 15624->15623 15626 40ee2a 15625->15626 15627 4030d0 gethostname gethostbyname 15626->15627 15628 401f82 15627->15628 15628->15163 15628->15165 15632 402419 lstrlenA 15629->15632 15631 402491 15631->15586 15633 402474 15632->15633 15634 40243d lstrlenA 15632->15634 15633->15631 15635 402464 lstrlenA 15634->15635 15636 40244e lstrcmpiA 15634->15636 15635->15633 15635->15634 15636->15635 15637 40245c 15636->15637 15637->15633 15637->15635 15639 40dd05 6 API calls 15638->15639 15640 40e8b4 15639->15640 15641 40dd84 lstrcmpiA 15640->15641 15642 40e8c0 15641->15642 15643 40e90a 15642->15643 15644 40e8c8 lstrcpynA 15642->15644 15645 402419 4 API calls 15643->15645 15654 40ea27 15643->15654 15646 40e8f5 15644->15646 15647 40e926 lstrlenA lstrlenA 15645->15647 15659 40df4c 15646->15659 15648 40e96a 15647->15648 15649 40e94c lstrlenA 15647->15649 15653 40ebcc 4 API calls 15648->15653 15648->15654 15649->15648 15651 40e901 15652 40dd84 lstrcmpiA 15651->15652 15652->15643 15655 40e98f 15653->15655 15654->15600 15655->15654 15656 40df4c 20 API calls 15655->15656 15657 40ea1e 15656->15657 15658 40ec2e codecvt 4 API calls 15657->15658 15658->15654 15660 40dd05 6 API calls 15659->15660 15661 40df51 15660->15661 15662 40f04e 4 API calls 15661->15662 15663 40df58 15662->15663 15664 40de24 10 API calls 15663->15664 15665 40df63 15664->15665 15665->15651 15667 401ae2 GetProcAddress 15666->15667 15668 401b68 GetComputerNameA GetVolumeInformationA 15666->15668 15667->15668 15669 401af5 15667->15669 15668->15617 15670 40ebed 8 API calls 15669->15670 15671 401b29 15669->15671 15670->15669 15671->15668 15671->15671 15672 40ec2e codecvt 4 API calls 15671->15672 15672->15668 15674 406ec3 2 API calls 15673->15674 15675 407ef4 15674->15675 15676 407fc9 15675->15676 15677 4073ff 17 API calls 15675->15677 15676->15177 15678 407f16 15677->15678 15678->15676 15686 407809 GetUserNameA 15678->15686 15680 407f63 15680->15676 15681 40ef1e lstrlenA 15680->15681 15682 407fa6 15681->15682 15683 40ef1e lstrlenA 15682->15683 15684 407fb7 15683->15684 15710 407a95 RegOpenKeyExA 15684->15710 15687 40783d LookupAccountNameA 15686->15687 15688 407a8d 15686->15688 15687->15688 15689 407874 GetLengthSid GetFileSecurityA 15687->15689 15688->15680 15689->15688 15690 4078a8 GetSecurityDescriptorOwner 15689->15690 15691 4078c5 EqualSid 15690->15691 15692 40791d GetSecurityDescriptorDacl 15690->15692 15691->15692 15693 4078dc LocalAlloc 15691->15693 15692->15688 15708 407941 15692->15708 15693->15692 15694 4078ef InitializeSecurityDescriptor 15693->15694 15695 407916 LocalFree 15694->15695 15696 4078fb SetSecurityDescriptorOwner 15694->15696 15695->15692 15696->15695 15698 40790b SetFileSecurityA 15696->15698 15697 40795b GetAce 15697->15708 15698->15695 15699 407980 EqualSid 15699->15708 15700 407a3d 15700->15688 15703 407a43 LocalAlloc 15700->15703 15701 4079be EqualSid 15701->15708 15702 40799d DeleteAce 15702->15708 15703->15688 15704 407a56 InitializeSecurityDescriptor 15703->15704 15705 407a62 SetSecurityDescriptorDacl 15704->15705 15706 407a86 LocalFree 15704->15706 15705->15706 15707 407a73 SetFileSecurityA 15705->15707 15706->15688 15707->15706 15709 407a83 15707->15709 15708->15688 15708->15697 15708->15699 15708->15700 15708->15701 15708->15702 15709->15706 15711 407ac4 15710->15711 15712 407acb GetUserNameA 15710->15712 15711->15676 15713 407da7 RegCloseKey 15712->15713 15714 407aed LookupAccountNameA 15712->15714 15713->15711 15714->15713 15715 407b24 RegGetKeySecurity 15714->15715 15715->15713 15716 407b49 GetSecurityDescriptorOwner 15715->15716 15717 407b63 EqualSid 15716->15717 15718 407bb8 GetSecurityDescriptorDacl 15716->15718 15717->15718 15720 407b74 LocalAlloc 15717->15720 15719 407da6 15718->15719 15726 407bdc 15718->15726 15719->15713 15720->15718 15721 407b8a InitializeSecurityDescriptor 15720->15721 15722 407bb1 LocalFree 15721->15722 15723 407b96 SetSecurityDescriptorOwner 15721->15723 15722->15718 15723->15722 15725 407ba6 RegSetKeySecurity 15723->15725 15724 407bf8 GetAce 15724->15726 15725->15722 15726->15719 15726->15724 15727 407c1d EqualSid 15726->15727 15728 407cd9 15726->15728 15729 407c5f EqualSid 15726->15729 15730 407c3a DeleteAce 15726->15730 15727->15726 15728->15719 15731 407d5a LocalAlloc 15728->15731 15733 407cf2 RegOpenKeyExA 15728->15733 15729->15726 15730->15726 15731->15719 15732 407d70 InitializeSecurityDescriptor 15731->15732 15734 407d7c SetSecurityDescriptorDacl 15732->15734 15735 407d9f LocalFree 15732->15735 15733->15731 15738 407d0f 15733->15738 15734->15735 15736 407d8c RegSetKeySecurity 15734->15736 15735->15719 15736->15735 15737 407d9c 15736->15737 15737->15735 15739 407d43 RegSetValueExA 15738->15739 15739->15731 15740 407d54 15739->15740 15740->15731 15741->15193 15743 40dd05 6 API calls 15742->15743 15746 40e65f 15743->15746 15744 40e6a5 15745 40ebcc 4 API calls 15744->15745 15751 40e6f5 15744->15751 15748 40e6b0 15745->15748 15746->15744 15747 40e68c lstrcmpA 15746->15747 15747->15746 15749 40e6b7 15748->15749 15750 40e6e0 lstrcpynA 15748->15750 15748->15751 15749->15195 15750->15751 15751->15749 15752 40e71d lstrcmpA 15751->15752 15752->15751 15753->15201 15755 40c525 15754->15755 15756 40c532 15754->15756 15755->15756 15759 40ec2e codecvt 4 API calls 15755->15759 15757 40c548 15756->15757 15906 40e7ff 15756->15906 15760 40e7ff lstrcmpiA 15757->15760 15768 40c54f 15757->15768 15759->15756 15761 40c615 15760->15761 15762 40ebcc 4 API calls 15761->15762 15761->15768 15762->15768 15763 40c5d1 15766 40ebcc 4 API calls 15763->15766 15765 40e819 11 API calls 15767 40c5b7 15765->15767 15766->15768 15769 40f04e 4 API calls 15767->15769 15768->15214 15770 40c5bf 15769->15770 15770->15757 15770->15763 15772 402692 inet_addr 15771->15772 15773 40268e 15771->15773 15772->15773 15774 40269e gethostbyname 15772->15774 15775 40f428 15773->15775 15774->15773 15909 40f315 15775->15909 15779 40c8d2 15778->15779 15780 40c907 15779->15780 15781 40c517 23 API calls 15779->15781 15780->15216 15781->15780 15782 40f43e 15783 40f473 recv 15782->15783 15784 40f458 15783->15784 15785 40f47c 15783->15785 15784->15783 15784->15785 15785->15232 15787 40c670 15786->15787 15789 40c67d 15786->15789 15788 40ebcc 4 API calls 15787->15788 15788->15789 15790 40ebcc 4 API calls 15789->15790 15792 40c699 15789->15792 15790->15792 15791 40c6f3 15791->15245 15791->15271 15792->15791 15793 40c73c send 15792->15793 15793->15791 15795 40c770 15794->15795 15796 40c77d 15794->15796 15797 40ebcc 4 API calls 15795->15797 15798 40c799 15796->15798 15799 40ebcc 4 API calls 15796->15799 15797->15796 15800 40c7b5 15798->15800 15801 40ebcc 4 API calls 15798->15801 15799->15798 15802 40f43e recv 15800->15802 15801->15800 15803 40c7cb 15802->15803 15804 40f43e recv 15803->15804 15805 40c7d3 15803->15805 15804->15805 15805->15271 15922 407db7 15806->15922 15809 407e96 15809->15271 15810 407e70 15810->15809 15812 40f04e 4 API calls 15810->15812 15811 40f04e 4 API calls 15813 407e4c 15811->15813 15812->15809 15813->15810 15814 40f04e 4 API calls 15813->15814 15814->15810 15816 406ec3 2 API calls 15815->15816 15817 407fdd 15816->15817 15818 4080c2 CreateProcessA 15817->15818 15819 4073ff 17 API calls 15817->15819 15818->15298 15818->15299 15820 407fff 15819->15820 15820->15818 15821 407809 21 API calls 15820->15821 15822 40804d 15821->15822 15822->15818 15823 40ef1e lstrlenA 15822->15823 15824 40809e 15823->15824 15825 40ef1e lstrlenA 15824->15825 15826 4080af 15825->15826 15827 407a95 24 API calls 15826->15827 15827->15818 15829 407db7 2 API calls 15828->15829 15830 407eb8 15829->15830 15831 40f04e 4 API calls 15830->15831 15832 407ece DeleteFileA 15831->15832 15832->15271 15834 40dd05 6 API calls 15833->15834 15835 40e31d 15834->15835 15926 40e177 15835->15926 15837 40e326 15837->15269 15839 4031f3 15838->15839 15849 4031ec 15838->15849 15840 40ebcc 4 API calls 15839->15840 15854 4031fc 15840->15854 15841 40344b 15842 403459 15841->15842 15843 40349d 15841->15843 15844 40f04e 4 API calls 15842->15844 15845 40ec2e codecvt 4 API calls 15843->15845 15846 40345f 15844->15846 15845->15849 15848 4030fa 4 API calls 15846->15848 15847 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15847->15854 15848->15849 15849->15271 15850 40344d 15851 40ec2e codecvt 4 API calls 15850->15851 15851->15841 15853 403141 lstrcmpiA 15853->15854 15854->15841 15854->15847 15854->15849 15854->15850 15854->15853 15952 4030fa GetTickCount 15854->15952 15856 4030fa 4 API calls 15855->15856 15857 403c1a 15856->15857 15858 403ce6 15857->15858 15957 403a72 15857->15957 15858->15271 15861 403a72 9 API calls 15863 403c5e 15861->15863 15862 403a72 9 API calls 15862->15863 15863->15858 15863->15862 15864 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 15863->15864 15864->15863 15866 403a10 15865->15866 15867 4030fa 4 API calls 15866->15867 15868 403a1a 15867->15868 15868->15271 15870 40dd05 6 API calls 15869->15870 15871 40e7be 15870->15871 15871->15271 15873 40c105 15872->15873 15874 40c07e wsprintfA 15872->15874 15873->15271 15966 40bfce GetTickCount wsprintfA 15874->15966 15876 40c0ef 15967 40bfce GetTickCount wsprintfA 15876->15967 15879 407047 15878->15879 15880 406f88 LookupAccountNameA 15878->15880 15879->15271 15882 407025 15880->15882 15884 406fcb 15880->15884 15883 406edd 5 API calls 15882->15883 15885 40702a wsprintfA 15883->15885 15886 406fdb ConvertSidToStringSidA 15884->15886 15885->15879 15886->15882 15887 406ff1 15886->15887 15888 407013 LocalFree 15887->15888 15888->15882 15890 40dd05 6 API calls 15889->15890 15891 40e85c 15890->15891 15892 40dd84 lstrcmpiA 15891->15892 15893 40e867 15892->15893 15894 40e885 lstrcpyA 15893->15894 15968 4024a5 15893->15968 15971 40dd69 15894->15971 15900 407db7 2 API calls 15899->15900 15901 407de1 15900->15901 15902 40f04e 4 API calls 15901->15902 15905 407e16 15901->15905 15903 407df2 15902->15903 15904 40f04e 4 API calls 15903->15904 15903->15905 15904->15905 15905->15271 15907 40dd84 lstrcmpiA 15906->15907 15908 40c58e 15907->15908 15908->15757 15908->15763 15908->15765 15910 40f33b 15909->15910 15917 40ca1d 15909->15917 15911 40f347 htons socket 15910->15911 15912 40f382 ioctlsocket 15911->15912 15913 40f374 closesocket 15911->15913 15914 40f3aa connect select 15912->15914 15915 40f39d 15912->15915 15913->15917 15914->15917 15918 40f3f2 __WSAFDIsSet 15914->15918 15916 40f39f closesocket 15915->15916 15916->15917 15917->15229 15917->15782 15918->15916 15919 40f403 ioctlsocket 15918->15919 15921 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15919->15921 15921->15917 15923 407dc8 InterlockedExchange 15922->15923 15924 407dc0 Sleep 15923->15924 15925 407dd4 15923->15925 15924->15923 15925->15810 15925->15811 15927 40e184 15926->15927 15928 40e2e4 15927->15928 15929 40e223 15927->15929 15942 40dfe2 15927->15942 15928->15837 15929->15928 15931 40dfe2 8 API calls 15929->15931 15935 40e23c 15931->15935 15932 40e1be 15932->15929 15933 40dbcf 3 API calls 15932->15933 15936 40e1d6 15933->15936 15934 40e21a CloseHandle 15934->15929 15935->15928 15946 40e095 RegCreateKeyExA 15935->15946 15936->15929 15936->15934 15937 40e1f9 WriteFile 15936->15937 15937->15934 15938 40e213 15937->15938 15938->15934 15940 40e2a3 15940->15928 15941 40e095 4 API calls 15940->15941 15941->15928 15943 40dffc 15942->15943 15945 40e024 15942->15945 15944 40db2e 8 API calls 15943->15944 15943->15945 15944->15945 15945->15932 15947 40e172 15946->15947 15950 40e0c0 15946->15950 15947->15940 15948 40e13d 15949 40e14e RegDeleteValueA RegCloseKey 15948->15949 15949->15947 15950->15948 15951 40e115 RegSetValueExA 15950->15951 15951->15948 15951->15950 15953 403122 InterlockedExchange 15952->15953 15954 40312e 15953->15954 15955 40310f GetTickCount 15953->15955 15954->15854 15955->15954 15956 40311a Sleep 15955->15956 15956->15953 15958 40f04e 4 API calls 15957->15958 15965 403a83 15958->15965 15959 403ac1 15959->15858 15959->15861 15960 403be6 15962 40ec2e codecvt 4 API calls 15960->15962 15961 403bc0 15961->15960 15963 40ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 15961->15963 15962->15959 15963->15961 15964 403b66 lstrlenA 15964->15959 15964->15965 15965->15959 15965->15961 15965->15964 15966->15876 15967->15873 15969 402419 4 API calls 15968->15969 15970 4024b6 15969->15970 15970->15894 15972 40dd79 lstrlenA 15971->15972 15972->15271 15974 404084 15973->15974 15975 40407d 15973->15975 15976 403ecd 6 API calls 15974->15976 15977 40408f 15976->15977 15978 404000 3 API calls 15977->15978 15980 404095 15978->15980 15979 404130 15981 403ecd 6 API calls 15979->15981 15980->15979 15983 403f18 4 API calls 15980->15983 15982 404159 CreateNamedPipeA 15981->15982 15984 404167 Sleep 15982->15984 15985 404188 ConnectNamedPipe 15982->15985 15987 4040da 15983->15987 15984->15979 15986 404176 CloseHandle 15984->15986 15988 404195 GetLastError 15985->15988 15993 4041ab 15985->15993 15986->15985 15989 403f8c 4 API calls 15987->15989 15990 40425e DisconnectNamedPipe 15988->15990 15988->15993 15991 4040ec 15989->15991 15990->15985 15992 404127 CloseHandle 15991->15992 15994 404101 15991->15994 15992->15979 15993->15985 15993->15990 15995 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15993->15995 15998 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15993->15998 15999 40426a CloseHandle CloseHandle 15993->15999 15996 403f18 4 API calls 15994->15996 15995->15993 15997 40411c ExitProcess 15996->15997 15998->15993 16000 40e318 23 API calls 15999->16000 16001 40427b 16000->16001 16001->16001 16003 408791 16002->16003 16004 40879f 16002->16004 16005 40f04e 4 API calls 16003->16005 16006 4087bc 16004->16006 16007 40f04e 4 API calls 16004->16007 16005->16004 16008 40e819 11 API calls 16006->16008 16007->16006 16009 4087d7 16008->16009 16021 408803 16009->16021 16023 4026b2 gethostbyaddr 16009->16023 16011 4087eb 16013 40e8a1 30 API calls 16011->16013 16011->16021 16013->16021 16016 40e819 11 API calls 16016->16021 16017 4088a0 Sleep 16017->16021 16018 4026b2 2 API calls 16018->16021 16020 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16020->16021 16021->16016 16021->16017 16021->16018 16021->16020 16022 40e8a1 30 API calls 16021->16022 16028 40c4d6 16021->16028 16031 40c4e2 16021->16031 16034 402011 16021->16034 16069 408328 16021->16069 16022->16021 16024 4026fb 16023->16024 16025 4026cd 16023->16025 16024->16011 16026 4026e1 inet_ntoa 16025->16026 16027 4026de 16025->16027 16026->16027 16027->16011 16121 40c2dc 16028->16121 16032 40c2dc 141 API calls 16031->16032 16033 40c4ec 16032->16033 16033->16021 16035 402020 16034->16035 16036 40202e 16034->16036 16038 40f04e 4 API calls 16035->16038 16037 40204b 16036->16037 16039 40f04e 4 API calls 16036->16039 16040 40206e GetTickCount 16037->16040 16041 40f04e 4 API calls 16037->16041 16038->16036 16039->16037 16042 402090 16040->16042 16043 4020db GetTickCount 16040->16043 16046 402068 16041->16046 16047 4020d4 GetTickCount 16042->16047 16050 402684 2 API calls 16042->16050 16058 4020ce 16042->16058 16456 401978 16042->16456 16044 402132 GetTickCount GetTickCount 16043->16044 16045 4020e7 16043->16045 16048 40f04e 4 API calls 16044->16048 16049 40212b GetTickCount 16045->16049 16060 402125 16045->16060 16063 401978 15 API calls 16045->16063 16461 402ef8 16045->16461 16046->16040 16047->16043 16051 402159 16048->16051 16049->16044 16050->16042 16052 4021b4 16051->16052 16055 40e854 13 API calls 16051->16055 16054 40f04e 4 API calls 16052->16054 16057 4021d1 16054->16057 16059 40218e 16055->16059 16061 4021f2 16057->16061 16064 40ea84 30 API calls 16057->16064 16058->16047 16062 40e819 11 API calls 16059->16062 16060->16049 16061->16021 16065 40219c 16062->16065 16063->16045 16066 4021ec 16064->16066 16065->16052 16469 401c5f 16065->16469 16067 40f04e 4 API calls 16066->16067 16067->16061 16070 407dd6 6 API calls 16069->16070 16071 40833c 16070->16071 16072 406ec3 2 API calls 16071->16072 16078 408340 16071->16078 16073 40834f 16072->16073 16074 40835c 16073->16074 16080 40846b 16073->16080 16075 4073ff 17 API calls 16074->16075 16084 408373 16075->16084 16076 408626 GetTempPathA 16077 408638 16076->16077 16541 406ba7 IsBadCodePtr 16077->16541 16078->16021 16079 40675c 21 API calls 16096 4085df 16079->16096 16082 4084a7 RegOpenKeyExA 16080->16082 16107 408450 16080->16107 16085 4084c0 RegQueryValueExA 16082->16085 16095 40852f 16082->16095 16083 4086ad 16086 408762 16083->16086 16089 407e2f 6 API calls 16083->16089 16084->16078 16101 4083ea RegOpenKeyExA 16084->16101 16084->16107 16087 408521 RegCloseKey 16085->16087 16088 4084dd 16085->16088 16086->16078 16094 40ec2e codecvt 4 API calls 16086->16094 16087->16095 16088->16087 16091 40ebcc 4 API calls 16088->16091 16104 4086bb 16089->16104 16090 408564 RegOpenKeyExA 16092 4085a5 16090->16092 16097 408573 16090->16097 16099 4084f0 16091->16099 16103 40ec2e codecvt 4 API calls 16092->16103 16092->16107 16093 40875b DeleteFileA 16093->16086 16094->16078 16095->16090 16095->16092 16096->16076 16096->16077 16096->16086 16097->16097 16098 408585 RegSetValueExA RegCloseKey 16097->16098 16098->16092 16099->16087 16100 4084f8 RegQueryValueExA 16099->16100 16100->16087 16102 408515 16100->16102 16105 4083fd RegQueryValueExA 16101->16105 16101->16107 16106 40ec2e codecvt 4 API calls 16102->16106 16103->16107 16104->16093 16108 4086e0 lstrcpyA lstrlenA 16104->16108 16109 40842d RegSetValueExA 16105->16109 16110 40841e 16105->16110 16112 40851d 16106->16112 16107->16079 16107->16096 16113 407fcf 64 API calls 16108->16113 16111 408447 RegCloseKey 16109->16111 16110->16109 16110->16111 16111->16107 16112->16087 16114 408719 CreateProcessA 16113->16114 16115 40873d CloseHandle CloseHandle 16114->16115 16116 40874f 16114->16116 16115->16086 16117 407ee6 64 API calls 16116->16117 16118 408754 16117->16118 16119 407ead 6 API calls 16118->16119 16120 40875a 16119->16120 16120->16093 16137 40a4c7 GetTickCount 16121->16137 16124 40c300 GetTickCount 16126 40c337 16124->16126 16125 40c326 16125->16126 16129 40c32b GetTickCount 16125->16129 16131 40c363 GetTickCount 16126->16131 16136 40c45e 16126->16136 16127 40c4d2 16127->16021 16128 40c4ab InterlockedIncrement CreateThread 16128->16127 16130 40c4cb CloseHandle 16128->16130 16142 40b535 16128->16142 16129->16126 16130->16127 16132 40c373 16131->16132 16131->16136 16133 40c378 GetTickCount 16132->16133 16134 40c37f 16132->16134 16133->16134 16135 40c43b GetTickCount 16134->16135 16135->16136 16136->16127 16136->16128 16138 40a4f7 InterlockedExchange 16137->16138 16139 40a500 16138->16139 16140 40a4e4 GetTickCount 16138->16140 16139->16124 16139->16125 16139->16136 16140->16139 16141 40a4ef Sleep 16140->16141 16141->16138 16143 40b566 16142->16143 16144 40ebcc 4 API calls 16143->16144 16145 40b587 16144->16145 16146 40ebcc 4 API calls 16145->16146 16173 40b590 16146->16173 16147 40bdcd InterlockedDecrement 16148 40bde2 16147->16148 16150 40ec2e codecvt 4 API calls 16148->16150 16151 40bdea 16150->16151 16153 40ec2e codecvt 4 API calls 16151->16153 16152 40bdb7 Sleep 16152->16173 16154 40bdf2 16153->16154 16156 40be05 16154->16156 16157 40ec2e codecvt 4 API calls 16154->16157 16155 40bdcc 16155->16147 16157->16156 16158 40ebed 8 API calls 16158->16173 16161 40b6b6 lstrlenA 16161->16173 16162 4030b5 2 API calls 16162->16173 16163 40e819 11 API calls 16163->16173 16164 40b6ed lstrcpyA 16217 405ce1 16164->16217 16167 40b731 lstrlenA 16167->16173 16168 40b71f lstrcmpA 16168->16167 16168->16173 16169 40b772 GetTickCount 16169->16173 16170 40bd49 InterlockedIncrement 16314 40a628 16170->16314 16173->16147 16173->16152 16173->16155 16173->16158 16173->16161 16173->16162 16173->16163 16173->16164 16173->16167 16173->16168 16173->16169 16173->16170 16174 40b7ce InterlockedIncrement 16173->16174 16175 40bc5b InterlockedIncrement 16173->16175 16178 40b912 GetTickCount 16173->16178 16179 40b932 GetTickCount 16173->16179 16180 40bcdc closesocket 16173->16180 16181 40b826 InterlockedIncrement 16173->16181 16183 405ce1 22 API calls 16173->16183 16184 4038f0 6 API calls 16173->16184 16187 40bba6 InterlockedIncrement 16173->16187 16189 40bc4c closesocket 16173->16189 16192 40ba71 wsprintfA 16173->16192 16194 40a7c1 22 API calls 16173->16194 16195 40ab81 lstrcpynA InterlockedIncrement 16173->16195 16196 40ef1e lstrlenA 16173->16196 16197 405ded 12 API calls 16173->16197 16199 403e10 16173->16199 16202 403e4f 16173->16202 16205 40384f 16173->16205 16225 40a7a3 inet_ntoa 16173->16225 16232 40abee 16173->16232 16244 401feb GetTickCount 16173->16244 16245 40a688 16173->16245 16268 403cfb 16173->16268 16271 40b3c5 16173->16271 16302 40ab81 16173->16302 16227 40acd7 16174->16227 16175->16173 16178->16173 16179->16173 16182 40bc6d InterlockedIncrement 16179->16182 16180->16173 16181->16169 16182->16173 16183->16173 16184->16173 16187->16173 16189->16173 16248 40a7c1 16192->16248 16194->16173 16195->16173 16196->16173 16197->16173 16200 4030fa 4 API calls 16199->16200 16201 403e1d 16200->16201 16201->16173 16203 4030fa 4 API calls 16202->16203 16204 403e5c 16203->16204 16204->16173 16206 4030fa 4 API calls 16205->16206 16207 403863 16206->16207 16208 4038b9 16207->16208 16209 403889 16207->16209 16216 4038b2 16207->16216 16323 4035f9 16208->16323 16317 403718 16209->16317 16214 403718 6 API calls 16214->16216 16215 4035f9 6 API calls 16215->16216 16216->16173 16218 405cf4 16217->16218 16219 405cec 16217->16219 16221 404bd1 4 API calls 16218->16221 16329 404bd1 GetTickCount 16219->16329 16222 405d02 16221->16222 16334 405472 16222->16334 16226 40a7b9 16225->16226 16226->16173 16228 40f315 14 API calls 16227->16228 16229 40aceb 16228->16229 16230 40acff 16229->16230 16231 40f315 14 API calls 16229->16231 16230->16173 16231->16230 16233 40abfb 16232->16233 16236 40ac65 16233->16236 16397 402f22 16233->16397 16235 40f315 14 API calls 16235->16236 16236->16235 16237 40ac6f 16236->16237 16243 40ac8a 16236->16243 16238 40ab81 2 API calls 16237->16238 16239 40ac81 16238->16239 16405 4038f0 16239->16405 16240 402684 2 API calls 16242 40ac23 16240->16242 16242->16236 16242->16240 16243->16173 16244->16173 16419 40a63d 16245->16419 16247 40a696 16247->16173 16249 40a87d lstrlenA send 16248->16249 16250 40a7df 16248->16250 16251 40a899 16249->16251 16252 40a8bf 16249->16252 16250->16249 16257 40a7fa wsprintfA 16250->16257 16259 40a80a 16250->16259 16260 40a8f2 16250->16260 16253 40a8a5 wsprintfA 16251->16253 16261 40a89e 16251->16261 16254 40a8c4 send 16252->16254 16252->16260 16253->16261 16256 40a8d8 wsprintfA 16254->16256 16254->16260 16255 40a978 recv 16255->16260 16262 40a982 16255->16262 16256->16261 16257->16259 16258 40a9b0 wsprintfA 16258->16261 16259->16249 16260->16255 16260->16258 16260->16262 16261->16173 16262->16261 16263 4030b5 2 API calls 16262->16263 16264 40ab05 16263->16264 16265 40e819 11 API calls 16264->16265 16266 40ab17 16265->16266 16267 40a7a3 inet_ntoa 16266->16267 16267->16261 16269 4030fa 4 API calls 16268->16269 16270 403d0b 16269->16270 16270->16173 16272 405ce1 22 API calls 16271->16272 16273 40b3e6 16272->16273 16274 405ce1 22 API calls 16273->16274 16276 40b404 16274->16276 16275 40b440 16278 40ef7c 3 API calls 16275->16278 16276->16275 16277 40ef7c 3 API calls 16276->16277 16279 40b42b 16277->16279 16280 40b458 wsprintfA 16278->16280 16281 40ef7c 3 API calls 16279->16281 16282 40ef7c 3 API calls 16280->16282 16281->16275 16283 40b480 16282->16283 16284 40ef7c 3 API calls 16283->16284 16285 40b493 16284->16285 16286 40ef7c 3 API calls 16285->16286 16287 40b4bb 16286->16287 16424 40ad89 GetLocalTime SystemTimeToFileTime 16287->16424 16291 40b4cc 16292 40ef7c 3 API calls 16291->16292 16293 40b4dd 16292->16293 16294 40b211 7 API calls 16293->16294 16295 40b4ec 16294->16295 16296 40ef7c 3 API calls 16295->16296 16297 40b4fd 16296->16297 16298 40b211 7 API calls 16297->16298 16299 40b509 16298->16299 16300 40ef7c 3 API calls 16299->16300 16301 40b51a 16300->16301 16301->16173 16303 40abe9 GetTickCount 16302->16303 16305 40ab8c 16302->16305 16307 40a51d 16303->16307 16304 40aba8 lstrcpynA 16304->16305 16305->16303 16305->16304 16306 40abe1 InterlockedIncrement 16305->16306 16306->16305 16308 40a4c7 4 API calls 16307->16308 16309 40a52c 16308->16309 16310 40a542 GetTickCount 16309->16310 16312 40a539 GetTickCount 16309->16312 16310->16312 16313 40a56c 16312->16313 16313->16173 16315 40a4c7 4 API calls 16314->16315 16316 40a633 16315->16316 16316->16173 16318 40f04e 4 API calls 16317->16318 16320 40372a 16318->16320 16319 403847 16319->16214 16319->16216 16320->16319 16321 4037b3 GetCurrentThreadId 16320->16321 16321->16320 16322 4037c8 GetCurrentThreadId 16321->16322 16322->16320 16324 40f04e 4 API calls 16323->16324 16328 40360c 16324->16328 16325 4036f1 16325->16215 16325->16216 16326 4036da GetCurrentThreadId 16326->16325 16327 4036e5 GetCurrentThreadId 16326->16327 16327->16325 16328->16325 16328->16326 16330 404bff InterlockedExchange 16329->16330 16331 404c08 16330->16331 16332 404bec GetTickCount 16330->16332 16331->16218 16332->16331 16333 404bf7 Sleep 16332->16333 16333->16330 16353 404763 16334->16353 16336 405b58 16363 404699 16336->16363 16339 404763 lstrlenA 16340 405b6e 16339->16340 16384 404f9f 16340->16384 16342 405b79 16342->16173 16343 404ae6 8 API calls 16349 40548a 16343->16349 16345 405549 lstrlenA 16345->16349 16347 40558d lstrcpynA 16347->16349 16348 405a9f lstrcpyA 16348->16349 16349->16336 16349->16343 16349->16347 16349->16348 16350 405935 lstrcpynA 16349->16350 16351 405472 13 API calls 16349->16351 16352 4058e7 lstrcpyA 16349->16352 16357 404ae6 16349->16357 16361 40ef7c lstrlenA lstrlenA lstrlenA 16349->16361 16350->16349 16351->16349 16352->16349 16355 40477a 16353->16355 16354 404859 16354->16349 16355->16354 16356 40480d lstrlenA 16355->16356 16356->16355 16358 404af3 16357->16358 16360 404b03 16357->16360 16359 40ebed 8 API calls 16358->16359 16359->16360 16360->16345 16362 40efb4 16361->16362 16362->16349 16389 4045b3 16363->16389 16366 4045b3 7 API calls 16367 4046c6 16366->16367 16368 4045b3 7 API calls 16367->16368 16369 4046d8 16368->16369 16370 4045b3 7 API calls 16369->16370 16371 4046ea 16370->16371 16372 4045b3 7 API calls 16371->16372 16373 4046ff 16372->16373 16374 4045b3 7 API calls 16373->16374 16375 404711 16374->16375 16376 4045b3 7 API calls 16375->16376 16377 404723 16376->16377 16378 40ef7c 3 API calls 16377->16378 16379 404735 16378->16379 16380 40ef7c 3 API calls 16379->16380 16381 40474a 16380->16381 16382 40ef7c 3 API calls 16381->16382 16383 40475c 16382->16383 16383->16339 16385 404fac 16384->16385 16388 404fb0 16384->16388 16385->16342 16386 404ffd 16386->16342 16387 404fd5 IsBadCodePtr 16387->16388 16388->16386 16388->16387 16390 4045c1 16389->16390 16391 4045c8 16389->16391 16392 40ebcc 4 API calls 16390->16392 16393 40ebcc 4 API calls 16391->16393 16395 4045e1 16391->16395 16392->16391 16393->16395 16394 404691 16394->16366 16395->16394 16396 40ef7c 3 API calls 16395->16396 16396->16395 16412 402d21 GetModuleHandleA 16397->16412 16400 402fcf GetProcessHeap HeapFree 16404 402f44 16400->16404 16401 402f4f 16403 402f6b GetProcessHeap HeapFree 16401->16403 16402 402f85 16402->16400 16402->16402 16403->16404 16404->16242 16406 403900 16405->16406 16407 403980 16405->16407 16408 4030fa 4 API calls 16406->16408 16407->16243 16411 40390a 16408->16411 16409 40391b GetCurrentThreadId 16409->16411 16410 403939 GetCurrentThreadId 16410->16411 16411->16407 16411->16409 16411->16410 16413 402d46 LoadLibraryA 16412->16413 16414 402d5b GetProcAddress 16412->16414 16413->16414 16415 402d54 16413->16415 16414->16415 16416 402d6b 16414->16416 16415->16401 16415->16402 16415->16404 16416->16415 16417 402d97 GetProcessHeap HeapAlloc 16416->16417 16418 402db5 lstrcpynA 16416->16418 16417->16415 16417->16416 16418->16416 16420 40a645 16419->16420 16421 40a64d 16419->16421 16420->16247 16422 40a66e 16421->16422 16423 40a65e GetTickCount 16421->16423 16422->16247 16423->16422 16425 40adbf 16424->16425 16449 40ad08 gethostname 16425->16449 16428 4030b5 2 API calls 16429 40add3 16428->16429 16430 40a7a3 inet_ntoa 16429->16430 16432 40ade4 16429->16432 16430->16432 16431 40ae85 wsprintfA 16433 40ef7c 3 API calls 16431->16433 16432->16431 16434 40ae36 wsprintfA wsprintfA 16432->16434 16435 40aebb 16433->16435 16436 40ef7c 3 API calls 16434->16436 16437 40ef7c 3 API calls 16435->16437 16436->16432 16438 40aed2 16437->16438 16439 40b211 16438->16439 16440 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16439->16440 16441 40b2af GetLocalTime 16439->16441 16442 40b2d2 16440->16442 16441->16442 16443 40b2d9 SystemTimeToFileTime 16442->16443 16444 40b31c GetTimeZoneInformation 16442->16444 16445 40b2ec 16443->16445 16447 40b33a wsprintfA 16444->16447 16446 40b312 FileTimeToSystemTime 16445->16446 16446->16444 16447->16291 16450 40ad71 16449->16450 16455 40ad26 lstrlenA 16449->16455 16452 40ad85 16450->16452 16453 40ad79 lstrcpyA 16450->16453 16452->16428 16453->16452 16454 40ad68 lstrlenA 16454->16450 16455->16450 16455->16454 16457 40f428 14 API calls 16456->16457 16458 40198a 16457->16458 16459 401990 closesocket 16458->16459 16460 401998 16458->16460 16459->16460 16460->16042 16462 402d21 6 API calls 16461->16462 16463 402f01 16462->16463 16466 402f0f 16463->16466 16477 402df2 GetModuleHandleA 16463->16477 16465 402684 2 API calls 16467 402f1d 16465->16467 16466->16465 16468 402f1f 16466->16468 16467->16045 16468->16045 16470 401c80 16469->16470 16471 401d1c 16470->16471 16472 401cc2 wsprintfA 16470->16472 16475 401d79 16470->16475 16474 401d47 wsprintfA 16471->16474 16473 402684 2 API calls 16472->16473 16473->16470 16476 402684 2 API calls 16474->16476 16475->16052 16476->16475 16478 402e10 LoadLibraryA 16477->16478 16479 402e0b 16477->16479 16480 402e17 16478->16480 16479->16478 16479->16480 16481 402ef1 16480->16481 16482 402e28 GetProcAddress 16480->16482 16481->16466 16482->16481 16483 402e3e GetProcessHeap HeapAlloc 16482->16483 16485 402e62 16483->16485 16484 402ede GetProcessHeap HeapFree 16484->16481 16485->16481 16485->16484 16486 402e7f htons inet_addr 16485->16486 16487 402ea5 gethostbyname 16485->16487 16489 402ceb 16485->16489 16486->16485 16486->16487 16487->16485 16490 402cf2 16489->16490 16492 402d1c 16490->16492 16493 402d0e Sleep 16490->16493 16494 402a62 GetProcessHeap HeapAlloc 16490->16494 16492->16485 16493->16490 16493->16492 16495 402a92 16494->16495 16496 402a99 socket 16494->16496 16495->16490 16497 402cd3 GetProcessHeap HeapFree 16496->16497 16498 402ab4 16496->16498 16497->16495 16498->16497 16503 402abd 16498->16503 16499 402adb htons 16514 4026ff 16499->16514 16501 402b04 select 16501->16503 16502 402ca4 16504 402cb3 GetProcessHeap HeapFree closesocket 16502->16504 16503->16499 16503->16501 16503->16502 16503->16504 16505 402b3f recv 16503->16505 16506 402b66 htons 16503->16506 16507 402b87 htons 16503->16507 16510 402bf3 GetProcessHeap HeapAlloc 16503->16510 16511 402c17 htons 16503->16511 16513 402c4d GetProcessHeap HeapFree 16503->16513 16521 402923 16503->16521 16533 402904 16503->16533 16504->16495 16505->16503 16506->16502 16506->16503 16507->16502 16507->16503 16510->16503 16529 402871 16511->16529 16513->16503 16515 40271d 16514->16515 16516 402717 16514->16516 16518 40272b GetTickCount htons 16515->16518 16517 40ebcc 4 API calls 16516->16517 16517->16515 16519 4027cc htons htons sendto 16518->16519 16520 40278a 16518->16520 16519->16503 16520->16519 16522 402944 16521->16522 16525 40293d 16521->16525 16537 402816 htons 16522->16537 16524 402950 16524->16525 16526 402871 htons 16524->16526 16527 4029bd htons htons htons 16524->16527 16525->16503 16526->16524 16527->16525 16528 4029f6 GetProcessHeap HeapAlloc 16527->16528 16528->16524 16528->16525 16530 4028e3 16529->16530 16532 402889 16529->16532 16530->16503 16531 4028c3 htons 16531->16530 16531->16532 16532->16530 16532->16531 16534 402921 16533->16534 16535 402908 16533->16535 16534->16503 16536 402909 GetProcessHeap HeapFree 16535->16536 16536->16534 16536->16536 16538 40286b 16537->16538 16539 402836 16537->16539 16538->16524 16539->16538 16540 40285c htons 16539->16540 16540->16538 16540->16539 16542 406bc0 16541->16542 16543 406bbc 16541->16543 16544 406bd4 16542->16544 16545 40ebcc 4 API calls 16542->16545 16543->16083 16544->16083 16546 406be4 16545->16546 16546->16544 16547 406c07 CreateFileA 16546->16547 16548 406bfc 16546->16548 16549 406c34 WriteFile 16547->16549 16550 406c2a 16547->16550 16551 40ec2e codecvt 4 API calls 16548->16551 16553 406c49 CloseHandle DeleteFileA 16549->16553 16554 406c5a CloseHandle 16549->16554 16552 40ec2e codecvt 4 API calls 16550->16552 16551->16544 16552->16544 16553->16550 16555 40ec2e codecvt 4 API calls 16554->16555 16555->16544 14780 24f0005 14785 24f092b GetPEB 14780->14785 14782 24f0030 14787 24f003c 14782->14787 14786 24f0972 14785->14786 14786->14782 14788 24f0049 14787->14788 14802 24f0e0f SetErrorMode SetErrorMode 14788->14802 14793 24f0265 14794 24f02ce VirtualProtect 14793->14794 14796 24f030b 14794->14796 14795 24f0439 VirtualFree 14799 24f04be 14795->14799 14801 24f05f4 LoadLibraryA 14795->14801 14796->14795 14797 24f04e3 LoadLibraryA 14797->14799 14799->14797 14799->14801 14800 24f08c7 14801->14800 14803 24f0223 14802->14803 14804 24f0d90 14803->14804 14805 24f0dad 14804->14805 14806 24f0dbb GetPEB 14805->14806 14807 24f0238 VirtualAlloc 14805->14807 14806->14807 14807->14793
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                      • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                    • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                    • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                    • ExitProcess.KERNEL32 ref: 00409C06
                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                    • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                    • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                    • wsprintfA.USER32 ref: 0040A0B6
                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                    • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                      • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                    • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                    • GetLastError.KERNEL32 ref: 0040A3ED
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                    • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                    • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                    • GetTickCount.KERNEL32 ref: 0040A49F
                                                                    • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                    • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                    • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                    • API String ID: 2089075347-2824936573
                                                                    • Opcode ID: 085b9d8147ae087c2ec6eca2e308c88e62f1e09930a9d5b1f46d7a4f91e91af0
                                                                    • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                    • Opcode Fuzzy Hash: 085b9d8147ae087c2ec6eca2e308c88e62f1e09930a9d5b1f46d7a4f91e91af0
                                                                    • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 264 401280-4012dd 265 4012e1-4012e5 264->265 265->265 266 4012e7-4012e9 265->266 267 4012f2-4012fe 266->267 268 4012eb-4012ed 266->268 270 401300-401304 267->270 269 401373-4013a2 268->269 274 4013a8-4013c4 269->274 275 4016f9-40170f GetLastError 269->275 270->270 271 401306-40130f 270->271 273 401310-401314 271->273 273->273 276 401316-401355 273->276 282 401711-40171b 274->282 283 4013ca-40142c 274->283 277 401781-401787 275->277 293 401357-40135c 276->293 294 40136c 276->294 279 401790-401796 277->279 280 401789 277->280 284 401798 279->284 285 40179f-4017a5 279->285 280->279 289 40177b-40177f 282->289 297 401432-401457 283->297 298 40171d-40172d 283->298 284->285 287 4017a7 285->287 288 4017ae-4017b4 285->288 287->288 290 4017b6 288->290 291 4017bd-4017c6 288->291 289->277 290->291 295 4017c8-4017d7 291->295 296 4017de-4017e4 291->296 293->294 299 40135e-401365 293->299 294->269 295->296 300 4017e6 296->300 301 4017ed-401813 call 40ec50 296->301 305 40145d-40148e 297->305 306 40172f-40173f 297->306 298->277 299->294 300->301 313 401741-40174b 305->313 314 401494-4014ad 305->314 306->277 313->289 316 4014b3-4014d5 314->316 317 40174d-40175d 314->317 319 4014db-4014e4 316->319 320 40175f-40176f 316->320 317->277 321 4014ec-4014f0 319->321 320->277 322 401771-401775 321->322 323 4014f6-40150c 321->323 322->289 325 401512 323->325 326 4016dd-4016f4 323->326 327 401516-40151e 325->327 326->277 328 401520 327->328 329 401534-401540 327->329 331 401522-401526 328->331 332 401542-401547 329->332 333 40157a-401585 329->333 331->329 336 401528-401532 331->336 337 401562-40156e 332->337 338 401549-40154b 332->338 334 401587 333->334 335 40158c-4015b0 call 40ee08 333->335 334->335 344 4015b7-4015bc 335->344 336->329 336->331 337->333 340 401570-401577 lstrlenW 337->340 339 401550-401554 338->339 339->337 342 401556-401560 339->342 340->333 342->337 342->339 344->344 345 4015be-4015f4 GetStartupInfoW 344->345 346 4015f8-4015fd 345->346 346->346 347 4015ff-401639 CreateProcessWithLogonW 346->347 348 4016bf-4016d9 GetLastError 347->348 349 40163f-401657 WaitForSingleObject 347->349 350 4016db 348->350 351 401660-401666 349->351 352 401659-40165a CloseHandle 349->352 350->326 353 401668-401669 CloseHandle 351->353 354 40166f-401675 351->354 352->351 353->354 355 401677-40167d 354->355 356 40169b-4016bd 354->356 357 401684-401687 355->357 358 40167f-401682 355->358 356->350 357->355 358->357 359 401689-401693 358->359 360 401514 359->360 361 401699 359->361 360->327 361->350
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                    • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShelllstrlen
                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                    • API String ID: 1628651668-179334549
                                                                    • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                    • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                    • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                    • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 595 409326-409348 call 401910 GetVersionExA 598 409358-40935c 595->598 599 40934a-409356 595->599 600 409360-40937d GetModuleHandleA GetModuleFileNameA 598->600 599->600 601 409385-4093a2 600->601 602 40937f 600->602 603 4093a4-4093d7 call 402544 wsprintfA 601->603 604 4093d9-409412 call 402544 wsprintfA 601->604 602->601 609 409415-40942c call 40ee2a 603->609 604->609 612 4094a3-4094b3 call 406edd 609->612 613 40942e-409432 609->613 618 4094b9-4094f9 call 402544 RegOpenKeyExA 612->618 619 40962f-409632 612->619 613->612 615 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 613->615 615->612 631 409502-40952e call 402544 RegQueryValueExA 618->631 632 4094fb-409500 618->632 621 409634-409637 619->621 625 409639-40964a call 401820 621->625 626 40967b-409682 621->626 643 40964c-409662 625->643 644 40966d-409679 625->644 629 409683 call 4091eb 626->629 640 409688-409690 629->640 647 409530-409537 631->647 648 409539-409565 call 402544 RegQueryValueExA 631->648 633 40957a-40957f 632->633 641 409581-409584 633->641 642 40958a-40958d 633->642 650 409692 640->650 651 409698-4096a0 640->651 641->621 641->642 642->626 652 409593-40959a 642->652 645 409664-40966b 643->645 646 40962b-40962d 643->646 644->629 645->646 656 4096a2-4096a9 646->656 653 40956e-409577 RegCloseKey 647->653 648->653 663 409567 648->663 650->651 651->656 657 40961a-40961f 652->657 658 40959c-4095a1 652->658 653->633 661 409625 657->661 658->657 662 4095a3-4095c0 call 40f0e4 658->662 661->646 668 4095c2-4095d1 call 4018e0 662->668 669 40960c-409618 662->669 663->653 671 4095d6-4095db 668->671 669->661 671->656 672 4095e1-4095f9 671->672 672->656 673 4095ff-409607 672->673 673->656
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                    • wsprintfA.USER32 ref: 004093CE
                                                                    • wsprintfA.USER32 ref: 0040940C
                                                                    • wsprintfA.USER32 ref: 0040948D
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                    • String ID: PromptOnSecureDesktop$runas
                                                                    • API String ID: 3696105349-2220793183
                                                                    • Opcode ID: 02aec6f577dd688fddbb5344b15a6666d7f538056132fce720943a2534271e66
                                                                    • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                    • Opcode Fuzzy Hash: 02aec6f577dd688fddbb5344b15a6666d7f538056132fce720943a2534271e66
                                                                    • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 712 406a60-406a89 CreateFileA 713 406b8c-406ba1 GetLastError 712->713 714 406a8f-406ac3 GetDiskFreeSpaceA 712->714 717 406ba3-406ba6 713->717 715 406ac5-406adc call 40eb0e 714->715 716 406b1d-406b34 call 406987 714->716 715->716 724 406ade 715->724 722 406b56-406b63 FindCloseChangeNotification 716->722 723 406b36-406b54 GetLastError CloseHandle 716->723 726 406b65-406b7d GetLastError CloseHandle 722->726 727 406b86-406b8a 722->727 725 406b7f-406b80 DeleteFileA 723->725 728 406ae0-406ae5 724->728 729 406ae7-406afb call 40eca5 724->729 725->727 726->725 727->717 728->729 730 406afd-406aff 728->730 729->716 730->716 733 406b01 730->733 734 406b03-406b08 733->734 735 406b0a-406b17 call 40eca5 733->735 734->716 734->735 735->716
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                    • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                    • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 1251348514-2980165447
                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 866 40ec2e-40ec35 867 40ec37-40ec48 call 40eba0 GetProcessHeap RtlFreeHeap 866->867 868 40ec4e-40ec4f 866->868 867->868
                                                                    APIs
                                                                      • Part of subcall function 0040EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0040EC0A,00000000,80000001,?,0040DB55,7FFF0001), ref: 0040EBAD
                                                                      • Part of subcall function 0040EBA0: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBB4
                                                                    • GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                    • RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$FreeSize
                                                                    • String ID: '@
                                                                    • API String ID: 1305341483-3530194223
                                                                    • Opcode ID: 08c81c03a0a7108d9ac838324103417e26cacd08bf8f2d3cca78d1ae5343ebed
                                                                    • Instruction ID: 2d0ac8bb9d02bc94818634b60920d143dc176b06b32ab47b2cd542b2b5f2599d
                                                                    • Opcode Fuzzy Hash: 08c81c03a0a7108d9ac838324103417e26cacd08bf8f2d3cca78d1ae5343ebed
                                                                    • Instruction Fuzzy Hash: 3AC012324062307BD5512751BC0DFDB7B28AF45711F0D481AF40576194C7BD588046ED

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                    • GetTickCount.KERNEL32 ref: 0040EC78
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                    • String ID:
                                                                    • API String ID: 1209300637-0
                                                                    • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                    • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                    • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                    • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 914 237e5c6-237e5df 915 237e5e1-237e5e3 914->915 916 237e5e5 915->916 917 237e5ea-237e5f6 CreateToolhelp32Snapshot 915->917 916->917 918 237e606-237e613 Module32First 917->918 919 237e5f8-237e5fe 917->919 920 237e615-237e616 call 237e285 918->920 921 237e61c-237e624 918->921 919->918 924 237e600-237e604 919->924 925 237e61b 920->925 924->915 924->918 925->921
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0237E5EE
                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 0237E60E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0237D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_237d000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 3833638111-0
                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                    • Instruction ID: 9684589b266cdf2dc51969da3a6cb458effc4ba55b1836d816285883010eb8fa
                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                    • Instruction Fuzzy Hash: 20F096352007146FDB303BF5988CF6E76E8AF49625F1005A8F642954C1DB74E8454A65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 362 4073ff-407419 363 40741b 362->363 364 40741d-407422 362->364 363->364 365 407424 364->365 366 407426-40742b 364->366 365->366 367 407430-407435 366->367 368 40742d 366->368 369 407437 367->369 370 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 367->370 368->367 369->370 375 407487-40749d call 40ee2a 370->375 376 4077f9-4077fe call 40ee2a 370->376 382 407703-40770e RegEnumKeyA 375->382 381 407801 376->381 385 407804-407808 381->385 383 4074a2-4074b1 call 406cad 382->383 384 407714-40771d RegCloseKey 382->384 388 4074b7-4074cc call 40f1a5 383->388 389 4076ed-407700 383->389 384->381 388->389 392 4074d2-4074f8 RegOpenKeyExA 388->392 389->382 393 407727-40772a 392->393 394 4074fe-407530 call 402544 RegQueryValueExA 392->394 395 407755-407764 call 40ee2a 393->395 396 40772c-407740 call 40ef00 393->396 394->393 402 407536-40753c 394->402 404 4076df-4076e2 395->404 405 407742-407745 RegCloseKey 396->405 406 40774b-40774e 396->406 407 40753f-407544 402->407 404->389 408 4076e4-4076e7 RegCloseKey 404->408 405->406 410 4077ec-4077f7 RegCloseKey 406->410 407->407 409 407546-40754b 407->409 408->389 409->395 411 407551-40756b call 40ee95 409->411 410->385 411->395 414 407571-407593 call 402544 call 40ee95 411->414 419 407753 414->419 420 407599-4075a0 414->420 419->395 421 4075a2-4075c6 call 40ef00 call 40ed03 420->421 422 4075c8-4075d7 call 40ed03 420->422 428 4075d8-4075da 421->428 422->428 430 4075dc 428->430 431 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 428->431 430->431 440 407626-40762b 431->440 440->440 441 40762d-407634 440->441 442 407637-40763c 441->442 442->442 443 40763e-407642 442->443 444 407644-407656 call 40ed77 443->444 445 40765c-407673 call 40ed23 443->445 444->445 452 407769-40777c call 40ef00 444->452 450 407680 445->450 451 407675-40767e 445->451 454 407683-40768e call 406cad 450->454 451->454 457 4077e3-4077e6 RegCloseKey 452->457 459 407722-407725 454->459 460 407694-4076bf call 40f1a5 call 406c96 454->460 457->410 461 4076dd 459->461 466 4076c1-4076c7 460->466 467 4076d8 460->467 461->404 466->467 468 4076c9-4076d2 466->468 467->461 468->467 469 40777e-407797 GetFileAttributesExA 468->469 470 407799 469->470 471 40779a-40779f 469->471 470->471 472 4077a1 471->472 473 4077a3-4077a8 471->473 472->473 474 4077c4-4077c8 473->474 475 4077aa-4077c0 call 40ee08 473->475 477 4077d7-4077dc 474->477 478 4077ca-4077d6 call 40ef00 474->478 475->474 479 4077e0-4077e2 477->479 480 4077de 477->480 478->477 479->457 480->479
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                    • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                    • String ID: "$PromptOnSecureDesktop
                                                                    • API String ID: 3433985886-3108538426
                                                                    • Opcode ID: d1745f93e4738621f3a81734226608b64e23a07a53a3347429d52bf37170d4a4
                                                                    • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                    • Opcode Fuzzy Hash: d1745f93e4738621f3a81734226608b64e23a07a53a3347429d52bf37170d4a4
                                                                    • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 484 40704c-407071 485 407073 484->485 486 407075-40707a 484->486 485->486 487 40707c 486->487 488 40707e-407083 486->488 487->488 489 407085 488->489 490 407087-40708c 488->490 489->490 491 407090-4070ca call 402544 RegOpenKeyExA 490->491 492 40708e 490->492 495 4070d0-4070f6 call 406dc2 491->495 496 4071b8-4071c8 call 40ee2a 491->496 492->491 502 40719b-4071a9 RegEnumValueA 495->502 501 4071cb-4071cf 496->501 503 4070fb-4070fd 502->503 504 4071af-4071b2 RegCloseKey 502->504 505 40716e-407194 503->505 506 4070ff-407102 503->506 504->496 505->502 506->505 507 407104-407107 506->507 507->505 508 407109-40710d 507->508 508->505 509 40710f-407133 call 402544 call 40eed1 508->509 514 4071d0-407203 call 402544 call 40ee95 call 40ee2a 509->514 515 407139-407145 call 406cad 509->515 530 407205-407212 RegCloseKey 514->530 531 407227-40722e 514->531 521 407147-40715c call 40f1a5 515->521 522 40715e-40716b call 40ee2a 515->522 521->514 521->522 522->505 532 407222-407225 530->532 533 407214-407221 call 40ef00 530->533 534 407230-407256 call 40ef00 call 40ed23 531->534 535 40725b-40728c call 402544 call 40ee95 call 40ee2a 531->535 532->501 533->532 534->535 547 407258 534->547 549 4072b8-4072cb call 40ed77 535->549 550 40728e-40729a RegCloseKey 535->550 547->535 557 4072dd-4072f4 call 40ed23 549->557 558 4072cd-4072d8 RegCloseKey 549->558 551 4072aa-4072b3 550->551 552 40729c-4072a9 call 40ef00 550->552 551->501 552->551 561 407301 557->561 562 4072f6-4072ff 557->562 558->501 563 407304-40730f call 406cad 561->563 562->563 566 407311-40731d RegCloseKey 563->566 567 407335-40735d call 406c96 563->567 568 40732d-407330 566->568 569 40731f-40732c call 40ef00 566->569 574 4073d5-4073e2 RegCloseKey 567->574 575 40735f-407365 567->575 568->551 569->568 577 4073f2-4073f7 574->577 578 4073e4-4073f1 call 40ef00 574->578 575->574 576 407367-407370 575->576 576->574 579 407372-40737c 576->579 578->577 581 40739d-4073a2 579->581 582 40737e-407395 GetFileAttributesExA 579->582 584 4073a4 581->584 585 4073a6-4073a9 581->585 582->581 586 407397 582->586 584->585 587 4073b9-4073bc 585->587 588 4073ab-4073b8 call 40ef00 585->588 586->581 590 4073cb-4073cd 587->590 591 4073be-4073ca call 40ef00 587->591 588->587 590->574 591->590
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                    • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                    • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                    • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                    • String ID: $"$PromptOnSecureDesktop
                                                                    • API String ID: 4293430545-98143240
                                                                    • Opcode ID: 5af9527d081b75e26a8274f62d41663e3dd5d5ca7bdbbab9435bf0acb249f6fa
                                                                    • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                    • Opcode Fuzzy Hash: 5af9527d081b75e26a8274f62d41663e3dd5d5ca7bdbbab9435bf0acb249f6fa
                                                                    • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 674 40675c-406778 675 406784-4067a2 CreateFileA 674->675 676 40677a-40677e SetFileAttributesA 674->676 677 4067a4-4067b2 CreateFileA 675->677 678 4067b5-4067b8 675->678 676->675 677->678 679 4067c5-4067c9 678->679 680 4067ba-4067bf SetFileAttributesA 678->680 681 406977-406986 679->681 682 4067cf-4067df GetFileSize 679->682 680->679 683 4067e5-4067e7 682->683 684 40696b 682->684 683->684 685 4067ed-40680b ReadFile 683->685 686 40696e-406971 FindCloseChangeNotification 684->686 685->684 687 406811-406824 SetFilePointer 685->687 686->681 687->684 688 40682a-406842 ReadFile 687->688 688->684 689 406848-406861 SetFilePointer 688->689 689->684 690 406867-406876 689->690 691 4068d5-4068df 690->691 692 406878-40688f ReadFile 690->692 691->686 693 4068e5-4068eb 691->693 694 406891-40689e 692->694 695 4068d2 692->695 696 4068f0-4068fe call 40ebcc 693->696 697 4068ed 693->697 698 4068a0-4068b5 694->698 699 4068b7-4068ba 694->699 695->691 696->684 705 406900-40690b SetFilePointer 696->705 697->696 701 4068bd-4068c3 698->701 699->701 703 4068c5 701->703 704 4068c8-4068ce 701->704 703->704 704->692 706 4068d0 704->706 707 40695a-406969 call 40ec2e 705->707 708 40690d-406920 ReadFile 705->708 706->691 707->686 708->707 709 406922-406958 708->709 709->686
                                                                    APIs
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                    • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                    • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                    • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                      • Part of subcall function 0040EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                    • String ID:
                                                                    • API String ID: 1400801100-0
                                                                    • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                    • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                    • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                    • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 738 24f003c-24f0047 739 24f004c-24f0263 call 24f0a3f call 24f0e0f call 24f0d90 VirtualAlloc 738->739 740 24f0049 738->740 755 24f028b-24f0292 739->755 756 24f0265-24f0289 call 24f0a69 739->756 740->739 758 24f02a1-24f02b0 755->758 760 24f02ce-24f03c2 VirtualProtect call 24f0cce call 24f0ce7 756->760 758->760 761 24f02b2-24f02cc 758->761 767 24f03d1-24f03e0 760->767 761->758 768 24f0439-24f04b8 VirtualFree 767->768 769 24f03e2-24f0437 call 24f0ce7 767->769 770 24f04be-24f04cd 768->770 771 24f05f4-24f05fe 768->771 769->767 773 24f04d3-24f04dd 770->773 774 24f077f-24f0789 771->774 775 24f0604-24f060d 771->775 773->771 780 24f04e3-24f0505 LoadLibraryA 773->780 778 24f078b-24f07a3 774->778 779 24f07a6-24f07b0 774->779 775->774 781 24f0613-24f0637 775->781 778->779 782 24f086e-24f08be LoadLibraryA 779->782 783 24f07b6-24f07cb 779->783 784 24f0517-24f0520 780->784 785 24f0507-24f0515 780->785 786 24f063e-24f0648 781->786 790 24f08c7-24f08f9 782->790 787 24f07d2-24f07d5 783->787 788 24f0526-24f0547 784->788 785->788 786->774 789 24f064e-24f065a 786->789 791 24f07d7-24f07e0 787->791 792 24f0824-24f0833 787->792 793 24f054d-24f0550 788->793 789->774 794 24f0660-24f066a 789->794 795 24f08fb-24f0901 790->795 796 24f0902-24f091d 790->796 797 24f07e4-24f0822 791->797 798 24f07e2 791->798 802 24f0839-24f083c 792->802 799 24f0556-24f056b 793->799 800 24f05e0-24f05ef 793->800 801 24f067a-24f0689 794->801 795->796 797->787 798->792 803 24f056f-24f057a 799->803 804 24f056d 799->804 800->773 805 24f068f-24f06b2 801->805 806 24f0750-24f077a 801->806 802->782 807 24f083e-24f0847 802->807 809 24f057c-24f0599 803->809 810 24f059b-24f05bb 803->810 804->800 811 24f06ef-24f06fc 805->811 812 24f06b4-24f06ed 805->812 806->786 813 24f084b-24f086c 807->813 814 24f0849 807->814 821 24f05bd-24f05db 809->821 810->821 815 24f06fe-24f0748 811->815 816 24f074b 811->816 812->811 813->802 814->782 815->816 816->801 821->793
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024F024D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID: cess$kernel32.dll
                                                                    • API String ID: 4275171209-1230238691
                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                    • Instruction ID: fbf06393b412c87a3d50d88f0dbf1f48102c0f1d04f45ddb18649da5986a0ba6
                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                    • Instruction Fuzzy Hash: 3E526D74A01229DFDBA4CF58C984BADBBB1BF49304F1480DAE54DA7356DB30AA85CF14

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                    • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                    • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 4131120076-2980165447
                                                                    • Opcode ID: b0aa9981bb4070313baffe29f7f8b6c817e0d26ac6bef10e6311cdec87a803e2
                                                                    • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                    • Opcode Fuzzy Hash: b0aa9981bb4070313baffe29f7f8b6c817e0d26ac6bef10e6311cdec87a803e2
                                                                    • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 837 404000-404008 838 40400b-40402a CreateFileA 837->838 839 404057 838->839 840 40402c-404035 GetLastError 838->840 841 404059-40405c 839->841 842 404052 840->842 843 404037-40403a 840->843 844 404054-404056 841->844 842->844 843->842 845 40403c-40403f 843->845 845->841 846 404041-404050 Sleep 845->846 846->838 846->842
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                    • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                    • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLastSleep
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 408151869-2980165447
                                                                    • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                    • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                    • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                    • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 847 406987-4069b7 848 4069e0 847->848 849 4069b9-4069be 847->849 850 4069e4-4069fd WriteFile 848->850 849->848 851 4069c0-4069d0 849->851 852 406a4d-406a51 850->852 853 4069ff-406a02 850->853 854 4069d2 851->854 855 4069d5-4069de 851->855 857 406a53-406a56 852->857 858 406a59 852->858 853->852 856 406a04-406a08 853->856 854->855 855->850 859 406a0a-406a0d 856->859 860 406a3c-406a3e 856->860 857->858 861 406a5b-406a5f 858->861 862 406a10-406a2e WriteFile 859->862 860->861 863 406a40-406a4b 862->863 864 406a30-406a33 862->864 863->861 864->863 865 406a35-406a3a 864->865 865->860 865->862
                                                                    APIs
                                                                    • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                    • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID: ,k@
                                                                    • API String ID: 3934441357-1053005162
                                                                    • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                    • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                    • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                    • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 872 4091eb-409208 873 409308 872->873 874 40920e-40921c call 40ed03 872->874 876 40930b-40930f 873->876 878 40921e-40922c call 40ed03 874->878 879 40923f-409249 874->879 878->879 886 40922e-409230 878->886 880 409250-409270 call 40ee08 879->880 881 40924b 879->881 887 409272-40927f 880->887 888 4092dd-4092e1 880->888 881->880 889 409233-409238 886->889 890 409281-409285 887->890 891 40929b-40929e 887->891 892 4092e3-4092e5 888->892 893 4092e7-4092e8 888->893 889->889 894 40923a-40923c 889->894 890->890 895 409287 890->895 897 4092a0 891->897 898 40928e-409293 891->898 892->893 896 4092ea-4092ef 892->896 893->888 894->879 895->891 901 4092f1-4092f6 Sleep 896->901 902 4092fc-409302 896->902 903 4092a8-4092ab 897->903 899 409295-409298 898->899 900 409289-40928c 898->900 899->903 906 40929a 899->906 900->898 900->906 901->902 902->873 902->874 904 4092a2-4092a5 903->904 905 4092ad-4092b0 903->905 907 4092b2 904->907 909 4092a7 904->909 905->907 908 4092bd 905->908 906->891 910 4092b5-4092b9 907->910 911 4092bf-4092db ShellExecuteA 908->911 909->903 910->910 912 4092bb 910->912 911->888 913 409310-409324 911->913 912->911 913->876
                                                                    APIs
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                    • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShellSleep
                                                                    • String ID:
                                                                    • API String ID: 4194306370-0
                                                                    • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                    • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                    • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                    • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 927 24f0e0f-24f0e24 SetErrorMode * 2 928 24f0e2b-24f0e2c 927->928 929 24f0e26 927->929 929->928
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,024F0223,?,?), ref: 024F0E19
                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,024F0223,?,?), ref: 024F0E1E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                    • Instruction ID: a1355340812a76edfb87e8f37077e87cd166259ba3829630d5b4c7a92252a5d3
                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                    • Instruction Fuzzy Hash: 52D01231545128B7D7402A94DC09BCE7B1CDF45B66F008011FB0DD9181C770954046E5
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                      • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocateSize
                                                                    • String ID:
                                                                    • API String ID: 2559512979-0
                                                                    • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                    • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                    • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                    • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                    APIs
                                                                      • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                    • String ID:
                                                                    • API String ID: 1823874839-0
                                                                    • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                    • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                    • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                    • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0237E2D6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0237D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_237d000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                    • Instruction ID: 13ffb1ce202b867ae563f450ee37ee012343362e715be5fc4ef7c8e396cff984
                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                    • Instruction Fuzzy Hash: E6113C79A00208EFDB11DF98C985E98BFF5AF08351F058094F9489B361D375EA50EF80
                                                                    APIs
                                                                    • closesocket.WS2_32(?), ref: 0040CA4E
                                                                    • closesocket.WS2_32(?), ref: 0040CB63
                                                                    • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                    • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                    • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                    • wsprintfA.USER32 ref: 0040CD21
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                    • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                    • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                    • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                    • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                    • closesocket.WS2_32(?), ref: 0040D56C
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                    • ExitProcess.KERNEL32 ref: 0040D583
                                                                    • wsprintfA.USER32 ref: 0040D81F
                                                                      • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                    • closesocket.WS2_32(?), ref: 0040DAD5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                    • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                    • API String ID: 562065436-3791576231
                                                                    • Opcode ID: 5ee263308baf86ce489a886349a9e37e750b35b75793d61b0b45e95a18e734f4
                                                                    • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                    • Opcode Fuzzy Hash: 5ee263308baf86ce489a886349a9e37e750b35b75793d61b0b45e95a18e734f4
                                                                    • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                    • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                    • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                    • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                    • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                    • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                    • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                    • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                    • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                    • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                    • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                    • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                    • API String ID: 2238633743-3228201535
                                                                    • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                    • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                    • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                    • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                    • wsprintfA.USER32 ref: 0040B3B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                    • API String ID: 766114626-2976066047
                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                    • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                    • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                    • String ID: D
                                                                    • API String ID: 3722657555-2746444292
                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                    • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                    • GetTickCount.KERNEL32 ref: 00401FC9
                                                                      • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                    • API String ID: 4207808166-1381319158
                                                                    • Opcode ID: 110b6dfce453f86d90b76d90b4f40e7d8c24a5c0218ad8ac054d44c6fd0a90ba
                                                                    • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                    • Opcode Fuzzy Hash: 110b6dfce453f86d90b76d90b4f40e7d8c24a5c0218ad8ac054d44c6fd0a90ba
                                                                    • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                    • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                    • htons.WS2_32(00000000), ref: 00402ADB
                                                                    • select.WS2_32 ref: 00402B28
                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                    • htons.WS2_32(?), ref: 00402B71
                                                                    • htons.WS2_32(?), ref: 00402B8C
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                    • String ID:
                                                                    • API String ID: 1639031587-0
                                                                    • Opcode ID: ac048a5111c4c0facacafd4696e747130b11041e76af35315694b4682072b2fe
                                                                    • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                    • Opcode Fuzzy Hash: ac048a5111c4c0facacafd4696e747130b11041e76af35315694b4682072b2fe
                                                                    • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                    • ExitProcess.KERNEL32 ref: 00404121
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventExitProcess
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 2404124870-2980165447
                                                                    • Opcode ID: db7f5c645f4a165619cd73390d37071b2a25bff7da9d907bf9deffaa756c70e2
                                                                    • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                    • Opcode Fuzzy Hash: db7f5c645f4a165619cd73390d37071b2a25bff7da9d907bf9deffaa756c70e2
                                                                    • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                    APIs
                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                    • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                    • String ID:
                                                                    • API String ID: 2438460464-0
                                                                    • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                    • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                    • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                    • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                    • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID: *p@
                                                                    • API String ID: 3429775523-2474123842
                                                                    • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                    • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                    • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                    • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 024F65F6
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024F6610
                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 024F6631
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 024F6652
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 1965334864-0
                                                                    • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                    • Instruction ID: 27cab6013b85eb5c5bffe58820841bee06a415e93b3e3a7b3b3167204318af1b
                                                                    • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                    • Instruction Fuzzy Hash: B511A771600218BFEB515F65DC05F9B3FACEB44BA5F014025FA14E7250D7B1DD008AA4
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 1965334864-0
                                                                    • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                    • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                    • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                    • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                    • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                      • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                      • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                    • String ID:
                                                                    • API String ID: 3754425949-0
                                                                    • Opcode ID: f6eca2d635dad700dab7ba812a98c92b25c767b6f83168f66ca2aac5250ba8f9
                                                                    • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                    • Opcode Fuzzy Hash: f6eca2d635dad700dab7ba812a98c92b25c767b6f83168f66ca2aac5250ba8f9
                                                                    • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .$GetProcAddress.$l
                                                                    • API String ID: 0-2784972518
                                                                    • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                    • Instruction ID: 8cc2ddee45e4730f41419645bc1fe682aa102da875142fd5a7aad30607f3018e
                                                                    • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                    • Instruction Fuzzy Hash: 41318AB6900609CFEB10CF99C880AAEBBF9FF88324F14504AD941A7315D771EA45CFA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 06c004fe6a7d2a155bcd88644f0f92c807432d7dbe6f22548f72735b6b43e23c
                                                                    • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                    • Opcode Fuzzy Hash: 06c004fe6a7d2a155bcd88644f0f92c807432d7dbe6f22548f72735b6b43e23c
                                                                    • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729000703.000000000237D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0237D000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_237d000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                    • Instruction ID: 83f51195e5bb528f2f8f12a87505701ddf1f22c489f95be6f8dbd6be43ebf3e9
                                                                    • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                    • Instruction Fuzzy Hash: 74117C72340204AFDB64DE55DC80EA673EAEF99620B1980A5ED08CB716D779E842CB60
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                    • Instruction ID: a1c71ae27c6bec535a0940fb186207137ad1d37a2fc915d52da6caf67d1247ae
                                                                    • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                    • Instruction Fuzzy Hash: 0D01F273A116008FDF61CF20C904BAB33E9FBC6206F0550A6DA0A9738AE370A8418B80
                                                                    APIs
                                                                    • ExitProcess.KERNEL32 ref: 024F9E6D
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 024F9FE1
                                                                    • lstrcat.KERNEL32(?,?), ref: 024F9FF2
                                                                    • lstrcat.KERNEL32(?,0041070C), ref: 024FA004
                                                                    • GetFileAttributesExA.KERNEL32(?,?,?), ref: 024FA054
                                                                    • DeleteFileA.KERNEL32(?), ref: 024FA09F
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 024FA0D6
                                                                    • lstrcpy.KERNEL32 ref: 024FA12F
                                                                    • lstrlen.KERNEL32(00000022), ref: 024FA13C
                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 024F9F13
                                                                      • Part of subcall function 024F7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 024F7081
                                                                      • Part of subcall function 024F6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eaudxxur,024F7043), ref: 024F6F4E
                                                                      • Part of subcall function 024F6F30: GetProcAddress.KERNEL32(00000000), ref: 024F6F55
                                                                      • Part of subcall function 024F6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024F6F7B
                                                                      • Part of subcall function 024F6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024F6F92
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 024FA1A2
                                                                    • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024FA1C5
                                                                    • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 024FA214
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 024FA21B
                                                                    • GetDriveTypeA.KERNEL32(?), ref: 024FA265
                                                                    • lstrcat.KERNEL32(?,00000000), ref: 024FA29F
                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 024FA2C5
                                                                    • lstrcat.KERNEL32(?,00000022), ref: 024FA2D9
                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 024FA2F4
                                                                    • wsprintfA.USER32 ref: 024FA31D
                                                                    • lstrcat.KERNEL32(?,00000000), ref: 024FA345
                                                                    • lstrcat.KERNEL32(?,?), ref: 024FA364
                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 024FA387
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 024FA398
                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024FA1D1
                                                                      • Part of subcall function 024F9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 024F999D
                                                                      • Part of subcall function 024F9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 024F99BD
                                                                      • Part of subcall function 024F9966: RegCloseKey.ADVAPI32(?), ref: 024F99C6
                                                                    • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 024FA3DB
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 024FA3E2
                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 024FA41D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                    • String ID: "$"$"$D$P$\
                                                                    • API String ID: 1653845638-2605685093
                                                                    • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                    • Instruction ID: bf7d0c391061cdff028913eb27c40a402faff4eed16d80f8600fcca9b42e50ca
                                                                    • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                    • Instruction Fuzzy Hash: 9EF153B1D40259AFDF61DBA0DC48FEF7BBCAB48304F0440AAE709E2141E7B586858F65
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 024F7D21
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 024F7D46
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024F7D7D
                                                                    • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 024F7DA2
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024F7DC0
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024F7DD1
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 024F7DE5
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024F7DF3
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024F7E03
                                                                    • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 024F7E12
                                                                    • LocalFree.KERNEL32(00000000), ref: 024F7E19
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024F7E35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                    • String ID: D$PromptOnSecureDesktop
                                                                    • API String ID: 2976863881-1403908072
                                                                    • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                    • Instruction ID: 1441937d74dc65ba5814485312ffec28e4fbc7986d073e480e555acb78138403
                                                                    • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                    • Instruction Fuzzy Hash: 82A16E71900209AFDB518FA0DD88FEFBFB9FB48304F04816AE605E6250E7758A85CB64
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                    • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                    • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                    • String ID: D$PromptOnSecureDesktop
                                                                    • API String ID: 2976863881-1403908072
                                                                    • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                    • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                    • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                    • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                    • API String ID: 2400214276-165278494
                                                                    • Opcode ID: b207dd172069646c24aed32b1972735792d3f59ccf14c8b8a18c1bcf80ec5da1
                                                                    • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                    • Opcode Fuzzy Hash: b207dd172069646c24aed32b1972735792d3f59ccf14c8b8a18c1bcf80ec5da1
                                                                    • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 0040A7FB
                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                    • wsprintfA.USER32 ref: 0040A8AF
                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                    • wsprintfA.USER32 ref: 0040A8E2
                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                    • wsprintfA.USER32 ref: 0040A9B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                    • API String ID: 3650048968-2394369944
                                                                    • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                    • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                    • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                    • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 024F7A96
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024F7ACD
                                                                    • GetLengthSid.ADVAPI32(?), ref: 024F7ADF
                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 024F7B01
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024F7B1F
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024F7B39
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 024F7B4A
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024F7B58
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024F7B68
                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 024F7B77
                                                                    • LocalFree.KERNEL32(00000000), ref: 024F7B7E
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024F7B9A
                                                                    • GetAce.ADVAPI32(?,?,?), ref: 024F7BCA
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024F7BF1
                                                                    • DeleteAce.ADVAPI32(?,?), ref: 024F7C0A
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024F7C2C
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 024F7CB1
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024F7CBF
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 024F7CD0
                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 024F7CE0
                                                                    • LocalFree.KERNEL32(00000000), ref: 024F7CEE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                    • String ID: D
                                                                    • API String ID: 3722657555-2746444292
                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction ID: 55367e2dc6caccfa52f05685572d25ec9026ae9b0629e6e6dd61d30a39351a76
                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction Fuzzy Hash: B8815D71900259AFEB51CFA4DD84FEFBBB8EF48304F04806AE605E6250D7798681CB64
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                    • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                    • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                    • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseOpenQuery
                                                                    • String ID: PromptOnSecureDesktop$localcfg
                                                                    • API String ID: 237177642-1678164370
                                                                    • Opcode ID: 9998f99baa3e35f42d7690d30857871b25eda7064f5d7260055e25c792b185e5
                                                                    • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                    • Opcode Fuzzy Hash: 9998f99baa3e35f42d7690d30857871b25eda7064f5d7260055e25c792b185e5
                                                                    • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                    APIs
                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                    • API String ID: 835516345-270533642
                                                                    • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                    • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                    • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                    • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 024F865A
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 024F867B
                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 024F86A8
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 024F86B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseOpenQuery
                                                                    • String ID: "$PromptOnSecureDesktop
                                                                    • API String ID: 237177642-3108538426
                                                                    • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                    • Instruction ID: f3aa70a5eba402f650266a0e1d6d9f756bb6284a8b419a97865b093a981d91bc
                                                                    • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                    • Instruction Fuzzy Hash: D2C191B2900149BFEB51ABA4DD84EEF7BBDEB84304F14406BF704EA150E7B04A948F65
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(?), ref: 024F1601
                                                                    • lstrlenW.KERNEL32(-00000003), ref: 024F17D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShelllstrlen
                                                                    • String ID: $<$@$D
                                                                    • API String ID: 1628651668-1974347203
                                                                    • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                    • Instruction ID: f4d1a6300ba202540b5e8f883527a1f752ef79c049d4e5137a6afa3d06c12475
                                                                    • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                    • Instruction Fuzzy Hash: 1AF138B1508341DFD720DF64C888AABB7E5FBC8305F00892EFA9997390D7B49944CB66
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 024F76D9
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 024F7757
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 024F778F
                                                                    • ___ascii_stricmp.LIBCMT ref: 024F78B4
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F794E
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 024F796D
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F797E
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F79AC
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F7A56
                                                                      • Part of subcall function 024FF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,024F772A,?), ref: 024FF414
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 024F79F6
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F7A4D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                    • String ID: "$PromptOnSecureDesktop
                                                                    • API String ID: 3433985886-3108538426
                                                                    • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                    • Instruction ID: 81ad110082cff91c28e047ef74f734b7936b3517d77cf77b3a800cf6e4774b84
                                                                    • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                    • Instruction Fuzzy Hash: F3C18571900209AFEB51DBA5DC44FEFBBB9EF89710F1140A7E604E6190EB759A84CF60
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024F2CED
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 024F2D07
                                                                    • htons.WS2_32(00000000), ref: 024F2D42
                                                                    • select.WS2_32 ref: 024F2D8F
                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 024F2DB1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024F2E62
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                    • String ID:
                                                                    • API String ID: 127016686-0
                                                                    • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                    • Instruction ID: 8d26452d8de5cee50ac0cb9b522a8e7fb290aa63a477adde45208256b8fb0e06
                                                                    • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                    • Instruction Fuzzy Hash: 6461DF71904305ABC360DF61DC08B6BBBE8FB88745F15481AFE8597250E7F5D881CBA6
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                      • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                      • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                    • wsprintfA.USER32 ref: 0040AEA5
                                                                      • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                    • wsprintfA.USER32 ref: 0040AE4F
                                                                    • wsprintfA.USER32 ref: 0040AE5E
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                    • API String ID: 3631595830-1816598006
                                                                    • Opcode ID: 7bbacfd63cc1bd3358eb6f9f25528e70d4a402c133def0f16d35053a1172090f
                                                                    • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                    • Opcode Fuzzy Hash: 7bbacfd63cc1bd3358eb6f9f25528e70d4a402c133def0f16d35053a1172090f
                                                                    • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                    • htons.WS2_32(00000035), ref: 00402E88
                                                                    • inet_addr.WS2_32(?), ref: 00402E93
                                                                    • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                    • API String ID: 929413710-2099955842
                                                                    • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                    • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                    • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                    • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32(?), ref: 024F95A7
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024F95D5
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 024F95DC
                                                                    • wsprintfA.USER32 ref: 024F9635
                                                                    • wsprintfA.USER32 ref: 024F9673
                                                                    • wsprintfA.USER32 ref: 024F96F4
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 024F9758
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024F978D
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024F97D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 3696105349-2980165447
                                                                    • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                    • Instruction ID: c62da10363847511f7d41fb28b29905a10d214479ad9571535335d696d760b4f
                                                                    • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                    • Instruction Fuzzy Hash: E2A16AB2900608FBEB61DFA1CC45FDB3BADAB84740F10402BFA1596251E7B5D584CFA5
                                                                    APIs
                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmpi
                                                                    • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                    • API String ID: 1586166983-142018493
                                                                    • Opcode ID: c846f043494d1212c12cca3077d5224032b1241b6052029cc8ab7cf3cda5ab79
                                                                    • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                    • Opcode Fuzzy Hash: c846f043494d1212c12cca3077d5224032b1241b6052029cc8ab7cf3cda5ab79
                                                                    • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 0040B467
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$wsprintf
                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                    • API String ID: 1220175532-2340906255
                                                                    • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                    • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                    • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                    • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402078
                                                                    • GetTickCount.KERNEL32 ref: 004020D4
                                                                    • GetTickCount.KERNEL32 ref: 004020DB
                                                                    • GetTickCount.KERNEL32 ref: 0040212B
                                                                    • GetTickCount.KERNEL32 ref: 00402132
                                                                    • GetTickCount.KERNEL32 ref: 00402142
                                                                      • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                      • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                      • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                      • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                      • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                    • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                    • API String ID: 3976553417-1522128867
                                                                    • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                    • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                    • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                    • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                    APIs
                                                                    • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                    • closesocket.WS2_32(00000000), ref: 0040F375
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesockethtonssocket
                                                                    • String ID: time_cfg
                                                                    • API String ID: 311057483-2401304539
                                                                    • Opcode ID: f6bf990b8d2e0653f7ce57bc0c35302b71962c3564253f9b7ed5e4bc4b128e8d
                                                                    • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                    • Opcode Fuzzy Hash: f6bf990b8d2e0653f7ce57bc0c35302b71962c3564253f9b7ed5e4bc4b128e8d
                                                                    • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                    APIs
                                                                      • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                    • GetTickCount.KERNEL32 ref: 0040C31F
                                                                    • GetTickCount.KERNEL32 ref: 0040C32B
                                                                    • GetTickCount.KERNEL32 ref: 0040C363
                                                                    • GetTickCount.KERNEL32 ref: 0040C378
                                                                    • GetTickCount.KERNEL32 ref: 0040C44D
                                                                    • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                    • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                    • String ID: localcfg
                                                                    • API String ID: 1553760989-1857712256
                                                                    • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                    • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                    • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                    • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 024F3068
                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 024F3078
                                                                    • GetProcAddress.KERNEL32(00000000,00410408), ref: 024F3095
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024F30B6
                                                                    • htons.WS2_32(00000035), ref: 024F30EF
                                                                    • inet_addr.WS2_32(?), ref: 024F30FA
                                                                    • gethostbyname.WS2_32(?), ref: 024F310D
                                                                    • HeapFree.KERNEL32(00000000), ref: 024F314D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                    • String ID: iphlpapi.dll
                                                                    • API String ID: 2869546040-3565520932
                                                                    • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                    • Instruction ID: b5941bdf0e5a18d3ca32d5ad44bfc31c8debd8c0750dd4b3e60d2b76f2e39b52
                                                                    • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                    • Instruction Fuzzy Hash: 5231C731A00246ABDB929FB49D48BAF7F78EF44364F1441A7E618E3390DB74D541CB58
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                    • API String ID: 3560063639-3847274415
                                                                    • Opcode ID: 0cf6a8701cb8f0680dc0f016b74236af14a98fd9df1df95cbda4f4d63be35472
                                                                    • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                    • Opcode Fuzzy Hash: 0cf6a8701cb8f0680dc0f016b74236af14a98fd9df1df95cbda4f4d63be35472
                                                                    • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                    • API String ID: 1082366364-2834986871
                                                                    • Opcode ID: 95e7c86f2c9233c41f1e2c53a6d570cd49a4b83f91fe69b21a1c821a086f9375
                                                                    • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                    • Opcode Fuzzy Hash: 95e7c86f2c9233c41f1e2c53a6d570cd49a4b83f91fe69b21a1c821a086f9375
                                                                    • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                    • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                    • String ID: D$PromptOnSecureDesktop
                                                                    • API String ID: 2981417381-1403908072
                                                                    • Opcode ID: db8e7b4b42e65af80add877bb874c42dec97f5f82b139a1a33863129b24a212d
                                                                    • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                    • Opcode Fuzzy Hash: db8e7b4b42e65af80add877bb874c42dec97f5f82b139a1a33863129b24a212d
                                                                    • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                    APIs
                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 024F67C3
                                                                    • htonl.WS2_32(?), ref: 024F67DF
                                                                    • htonl.WS2_32(?), ref: 024F67EE
                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 024F68F1
                                                                    • ExitProcess.KERNEL32 ref: 024F69BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Processhtonl$CurrentExitHugeRead
                                                                    • String ID: except_info$localcfg
                                                                    • API String ID: 1150517154-3605449297
                                                                    • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                    • Instruction ID: 0e70a0c211c851caf44840e893623a4cec965050d5488d61d3f5b052dbc368d2
                                                                    • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                    • Instruction Fuzzy Hash: E4616E71A40208AFDB609FB4DC45FEA77E9FB48300F14806AFA6DD2161EB7599908F14
                                                                    APIs
                                                                    • htons.WS2_32(024FCC84), ref: 024FF5B4
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 024FF5CE
                                                                    • closesocket.WS2_32(00000000), ref: 024FF5DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesockethtonssocket
                                                                    • String ID: time_cfg
                                                                    • API String ID: 311057483-2401304539
                                                                    • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                    • Instruction ID: a829de05e2eba03b54815dd0ff9ee2fe8db07ce13d9aef3e8d33ae16f26a9663
                                                                    • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                    • Instruction Fuzzy Hash: E3316071900118ABDB50DFA5DC84DEF7BBCEF88710F11456AFA15D3190E7709A86CBA4
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                    • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                    • wsprintfA.USER32 ref: 00407036
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                    • String ID: /%d$|
                                                                    • API String ID: 676856371-4124749705
                                                                    • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                    • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                    • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                    • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?), ref: 024F2FA1
                                                                    • LoadLibraryA.KERNEL32(?), ref: 024F2FB1
                                                                    • GetProcAddress.KERNEL32(00000000,004103F0), ref: 024F2FC8
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024F3000
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024F3007
                                                                    • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 024F3032
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                    • String ID: dnsapi.dll
                                                                    • API String ID: 1242400761-3175542204
                                                                    • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                    • Instruction ID: 2c59d0c05404c5f111d6e5b042553de91452c6174e488aef36d94586a3a6b15f
                                                                    • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                    • Instruction Fuzzy Hash: 8F219271D40226BBCB619F55DC44AAFBFB8EF48B10F014462FA01E7640D7B49AC18BE4
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eaudxxur,024F7043), ref: 024F6F4E
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 024F6F55
                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024F6F7B
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024F6F92
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                    • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\eaudxxur
                                                                    • API String ID: 1082366364-178168089
                                                                    • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                    • Instruction ID: 0fa34587edd491e716f7d1618f33a3e59758859a38f8c42be2438947ca87c465
                                                                    • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                    • Instruction Fuzzy Hash: B421F2217403403EF7A257319C88FBB2A4C8F92714F1A40AAFA0495AD0DBD984DA8A7D
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Code
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 3609698214-2980165447
                                                                    • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                    • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                    • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                    • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                    APIs
                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 024F92E2
                                                                    • wsprintfA.USER32 ref: 024F9350
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024F9375
                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 024F9389
                                                                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 024F9394
                                                                    • CloseHandle.KERNEL32(00000000), ref: 024F939B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 2439722600-2980165447
                                                                    • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                    • Instruction ID: 00e0c5956023fe4b07fbb779d4e377da03230f15907cf86a314cb9cc18d752be
                                                                    • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                    • Instruction Fuzzy Hash: EE119AB57401147BE7606732DC0DFEF3A6EDFC8B11F01C06ABB06E5090EAB44A458A75
                                                                    APIs
                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                    • wsprintfA.USER32 ref: 004090E9
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 2439722600-2980165447
                                                                    • Opcode ID: 730725e1a30653b3eba158ee6b5a706d92185f15afc7f0cb0d565943f0052150
                                                                    • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                    • Opcode Fuzzy Hash: 730725e1a30653b3eba158ee6b5a706d92185f15afc7f0cb0d565943f0052150
                                                                    • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 024F9A18
                                                                    • GetThreadContext.KERNEL32(?,?), ref: 024F9A52
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 024F9A60
                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 024F9A98
                                                                    • SetThreadContext.KERNEL32(?,00010002), ref: 024F9AB5
                                                                    • ResumeThread.KERNEL32(?), ref: 024F9AC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                    • String ID: D
                                                                    • API String ID: 2981417381-2746444292
                                                                    • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                    • Instruction ID: f7f3f54aa703419f78af6d8174274fff446d7e0cc361af7e5f57a851cc2c0ba7
                                                                    • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                    • Instruction Fuzzy Hash: 60213BB1E01229BBDB619BA1DC09FEF7BBCEF44750F404062BA19E1150E7758A84CBA4
                                                                    APIs
                                                                    • inet_addr.WS2_32(004102D8), ref: 024F1C18
                                                                    • LoadLibraryA.KERNEL32(004102C8), ref: 024F1C26
                                                                    • GetProcessHeap.KERNEL32 ref: 024F1C84
                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 024F1C9D
                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 024F1CC1
                                                                    • HeapFree.KERNEL32(?,00000000,00000000), ref: 024F1D02
                                                                    • FreeLibrary.KERNEL32(?), ref: 024F1D0B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                    • String ID:
                                                                    • API String ID: 2324436984-0
                                                                    • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                    • Instruction ID: 58d04e133c32add87a4f6a944e0ec9dcd761273cee871b8b98abb98e1666041a
                                                                    • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                    • Instruction Fuzzy Hash: D3315E32D00249FFCB519FA4DC888AFBAB9EB85705B24447BE609A2210D7B55E80DB94
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                    • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: QueryValue$CloseOpen
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 1586453840-2980165447
                                                                    • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                    • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                    • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                    • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                    • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                    • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreateEvent
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 1371578007-2980165447
                                                                    • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                    • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                    • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                    • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 024F6CE4
                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 024F6D22
                                                                    • GetLastError.KERNEL32 ref: 024F6DA7
                                                                    • CloseHandle.KERNEL32(?), ref: 024F6DB5
                                                                    • GetLastError.KERNEL32 ref: 024F6DD6
                                                                    • DeleteFileA.KERNEL32(?), ref: 024F6DE7
                                                                    • GetLastError.KERNEL32 ref: 024F6DFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                    • String ID:
                                                                    • API String ID: 3873183294-0
                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction ID: 46d94ca98cbaa321f52e1f5e2f7c8e1286a166fefbeaa3efd10aa1a04272255d
                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction Fuzzy Hash: E431EE73900249BFCB419FA59D48ADF7F7DEB88300F16816AE321A3220D7708A858B61
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024F93C6
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 024F93CD
                                                                    • CharToOemA.USER32(?,?), ref: 024F93DB
                                                                    • wsprintfA.USER32 ref: 024F9410
                                                                      • Part of subcall function 024F92CB: GetTempPathA.KERNEL32(00000400,?), ref: 024F92E2
                                                                      • Part of subcall function 024F92CB: wsprintfA.USER32 ref: 024F9350
                                                                      • Part of subcall function 024F92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024F9375
                                                                      • Part of subcall function 024F92CB: lstrlen.KERNEL32(?,?,00000000), ref: 024F9389
                                                                      • Part of subcall function 024F92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 024F9394
                                                                      • Part of subcall function 024F92CB: CloseHandle.KERNEL32(00000000), ref: 024F939B
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 024F9448
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 3857584221-2980165447
                                                                    • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                    • Instruction ID: 7aa64262734e9c28a7cde013a6e2a3c02bd3f6b9aa9b44ac7b0a71dbe2d4fabe
                                                                    • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                    • Instruction Fuzzy Hash: A4015EF69001187BDB61A7619D89FDF3B7CDBD5701F0040A6BB49E2080EAB496C98F75
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                    • CharToOemA.USER32(?,?), ref: 00409174
                                                                    • wsprintfA.USER32 ref: 004091A9
                                                                      • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                      • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                      • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 3857584221-2980165447
                                                                    • Opcode ID: 45fddde66681fcd1d10412195ca3cbb3a67b5acc72870ab1a948a161cfab8417
                                                                    • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                    • Opcode Fuzzy Hash: 45fddde66681fcd1d10412195ca3cbb3a67b5acc72870ab1a948a161cfab8417
                                                                    • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: $localcfg
                                                                    • API String ID: 1659193697-2018645984
                                                                    • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                    • Instruction ID: 1bce074a5de0d44bb125ee1f6e55e93cf9469f5f2bfa0e6d82615cb31421aafb
                                                                    • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                    • Instruction Fuzzy Hash: 5A712B72A00364ABDFA19B54DC85FEF376AABC0749F244027FB0CA61D0DF6199C88B55
                                                                    APIs
                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                    • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                    • String ID: flags_upd$localcfg
                                                                    • API String ID: 204374128-3505511081
                                                                    • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                    • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                    • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                    • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                    APIs
                                                                      • Part of subcall function 024FDF6C: GetCurrentThreadId.KERNEL32 ref: 024FDFBA
                                                                    • lstrcmp.KERNEL32(00410178,00000000), ref: 024FE8FA
                                                                    • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,024F6128), ref: 024FE950
                                                                    • lstrcmp.KERNEL32(?,00000008), ref: 024FE989
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                    • String ID: A$ A$ A
                                                                    • API String ID: 2920362961-1846390581
                                                                    • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                    • Instruction ID: dadaf5de2ed26876fb454433dc0f7590e0106b56fee411f013dd345338b3e8bb
                                                                    • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                    • Instruction Fuzzy Hash: A1319231B00705DBDBB18F25C884FAB7BE5EB85726F00852BEB5587661D370E480CBA1
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Code
                                                                    • String ID:
                                                                    • API String ID: 3609698214-0
                                                                    • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                    • Instruction ID: 30ab593c2473aebfd1d45b0ea47de3bac8974f8690fb089cbf03723c8bf40b88
                                                                    • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                    • Instruction Fuzzy Hash: 04215C73204219BFDB509BB1FC48EDF7FADEB89265B118426F612D10A0FB71DA409A74
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                    • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                    • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                    • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 3819781495-0
                                                                    • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                    • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                    • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                    • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 024FC6B4
                                                                    • InterlockedIncrement.KERNEL32(024FC74B), ref: 024FC715
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,024FC747), ref: 024FC728
                                                                    • CloseHandle.KERNEL32(00000000,?,024FC747,00413588,024F8A77), ref: 024FC733
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                    • String ID: localcfg
                                                                    • API String ID: 1026198776-1857712256
                                                                    • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                    • Instruction ID: d800eaceae510e1df57b912a0c9065c9211c0c13b61362d09497bacd5537fa87
                                                                    • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                    • Instruction Fuzzy Hash: 97514CB1A04B458FD7A4CF29C5C462ABBE9FB88704B50693FE28BC7A90D774E444CB50
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                      • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                      • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                      • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                      • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                      • Part of subcall function 0040EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0040EC48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 124786226-2980165447
                                                                    • Opcode ID: ae68541743c3be3a909adc74ff35c87c840d37b8f53cb495da4a43f3a1185c7f
                                                                    • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                    • Opcode Fuzzy Hash: ae68541743c3be3a909adc74ff35c87c840d37b8f53cb495da4a43f3a1185c7f
                                                                    • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                    APIs
                                                                    • RegCreateKeyExA.ADVAPI32(80000001,024FE50A,00000000,00000000,00000000,00020106,00000000,024FE50A,00000000,000000E4), ref: 024FE319
                                                                    • RegSetValueExA.ADVAPI32(024FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024FE38E
                                                                    • RegDeleteValueA.ADVAPI32(024FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024FE3BF
                                                                    • RegCloseKey.ADVAPI32(024FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,024FE50A), ref: 024FE3C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseCreateDelete
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 2667537340-2980165447
                                                                    • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                    • Instruction ID: 961e00fdc4dfd9beae16d4dcc7fc12e15c1089d0304f5a021ebde7572bae9d7d
                                                                    • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                    • Instruction Fuzzy Hash: 3A214F71A0021DABDF609FA5EC89EDF7F79EF48750F048026FA04E6160E3B19A54DB91
                                                                    APIs
                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                    • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                    • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                    • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseCreateDelete
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 2667537340-2980165447
                                                                    • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                    • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                    • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                    • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 024F71E1
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024F7228
                                                                    • LocalFree.KERNEL32(?,?,?), ref: 024F7286
                                                                    • wsprintfA.USER32 ref: 024F729D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                    • String ID: |
                                                                    • API String ID: 2539190677-2343686810
                                                                    • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                    • Instruction ID: 37e515816f8ccd3fd5b0a66c7130925b7837e47e00d98b9a33afabb3d3c56606
                                                                    • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                    • Instruction Fuzzy Hash: 9D313872A00208BFDB41DFA8DC44BDB7BACEF44314F148066F959DB240EB79D6488B94
                                                                    APIs
                                                                    • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                    • String ID: LocalHost
                                                                    • API String ID: 3695455745-3154191806
                                                                    • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                    • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                    • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                    • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 024FB51A
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 024FB529
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 024FB548
                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 024FB590
                                                                    • wsprintfA.USER32 ref: 024FB61E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                    • String ID:
                                                                    • API String ID: 4026320513-0
                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction ID: 7c1e5bd8289b24d1cd9650f3b7a713fa30cfff52a6da8684ce552db02d8485b7
                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction Fuzzy Hash: 375111B1D0021DAACF54DFD5D8445EEBBB9FF49308F10816BE605A6150E7B84AC9CF98
                                                                    APIs
                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 024F6303
                                                                    • LoadLibraryA.KERNEL32(?), ref: 024F632A
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 024F63B1
                                                                    • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 024F6405
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HugeRead$AddressLibraryLoadProc
                                                                    • String ID:
                                                                    • API String ID: 3498078134-0
                                                                    • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                    • Instruction ID: 4fd8eb62b7d13b9e75f98712db089c9eef1ded8d6fcc7d0094217f2e82e0c335
                                                                    • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                    • Instruction Fuzzy Hash: 48417E71A00219AFDB54CF58C884BAAB7B8EF84318F16816EEA25D7390E771E941CB50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1989905191bf49f42eadb9a02807c093ecede48eba88651750ab7d74b4d97855
                                                                    • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                    • Opcode Fuzzy Hash: 1989905191bf49f42eadb9a02807c093ecede48eba88651750ab7d74b4d97855
                                                                    • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                    APIs
                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                    • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                    • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                    • String ID: A$ A
                                                                    • API String ID: 3343386518-686259309
                                                                    • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                    • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                    • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                    • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040272E
                                                                    • htons.WS2_32(00000001), ref: 00402752
                                                                    • htons.WS2_32(0000000F), ref: 004027D5
                                                                    • htons.WS2_32(00000001), ref: 004027E3
                                                                    • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                      • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                      • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                    • String ID:
                                                                    • API String ID: 1128258776-0
                                                                    • Opcode ID: 6299e4c0913397de1f3665e69ba77cac23d914eedd5d9e3cba2a57aff5f89fa9
                                                                    • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                    • Opcode Fuzzy Hash: 6299e4c0913397de1f3665e69ba77cac23d914eedd5d9e3cba2a57aff5f89fa9
                                                                    • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                    APIs
                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: setsockopt
                                                                    • String ID:
                                                                    • API String ID: 3981526788-0
                                                                    • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                    • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                    • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                    • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcmpi
                                                                    • String ID: localcfg
                                                                    • API String ID: 1808961391-1857712256
                                                                    • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                    • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                    • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                    • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                    APIs
                                                                      • Part of subcall function 024FDF6C: GetCurrentThreadId.KERNEL32 ref: 024FDFBA
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,024FA6AC), ref: 024FE7BF
                                                                    • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,024FA6AC), ref: 024FE7EA
                                                                    • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,024FA6AC), ref: 024FE819
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCurrentHandleReadSizeThread
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 1396056608-2980165447
                                                                    • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                    • Instruction ID: a56accd35d16d5296476a644385b9cbdec55a998fa6aa2ab7dce40bd7fb7e2e6
                                                                    • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                    • Instruction Fuzzy Hash: 4621F9B1A403007AF260B7229C05FEB3E5DDBE5B61F10002FFB09B56E3FA9594508AB5
                                                                    APIs
                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                    • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 3683885500-2980165447
                                                                    • Opcode ID: b34be97497fedca3b752326b27e86ec13df76e891a8447f3c258caf0ac6daf65
                                                                    • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                    • Opcode Fuzzy Hash: b34be97497fedca3b752326b27e86ec13df76e891a8447f3c258caf0ac6daf65
                                                                    • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                    • API String ID: 2574300362-1087626847
                                                                    • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                    • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                    • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                    • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 024F76D9
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 024F796D
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F797E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseEnumOpen
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 1332880857-2980165447
                                                                    • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                    • Instruction ID: defa90ddeeeb4cb6335233f081d7ad1af239a42402f95ff9d0daaced533014ad
                                                                    • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                    • Instruction Fuzzy Hash: F911E130A00109AFEB518FA9DC44FEFBFB9EF85714F140166F610E6290E3B88950CB60
                                                                    APIs
                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                    • String ID: hi_id$localcfg
                                                                    • API String ID: 2777991786-2393279970
                                                                    • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                    • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                    • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                    • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 024F999D
                                                                    • RegDeleteValueA.ADVAPI32(?,00000000), ref: 024F99BD
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024F99C6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseDeleteOpenValue
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 849931509-2980165447
                                                                    • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                    • Instruction ID: 1a598632ca9520a7501d695372c055da7abd4799205f8b4da879f70108cbcb94
                                                                    • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                    • Instruction Fuzzy Hash: A8F0F6B2680208BFF7106B51EC06FDB3A2CDB94B10F100065FB05B51D1F6E59A908AB9
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                    • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                    • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseDeleteOpenValue
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 849931509-2980165447
                                                                    • Opcode ID: 1de8ff1520225209df033a468c4c448d63514a3a5e91d9bb697f39b21080aa95
                                                                    • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                    • Opcode Fuzzy Hash: 1de8ff1520225209df033a468c4c448d63514a3a5e91d9bb697f39b21080aa95
                                                                    • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynameinet_addr
                                                                    • String ID: time_cfg$u6A
                                                                    • API String ID: 1594361348-1940331995
                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction ID: 04a30915f72c89a7130f78be1c237eb8441b54fff2797699d3e31540da7430e3
                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction Fuzzy Hash: 97E0C2306041118FCB80CB2CF848AC637E4EF8A230F008282F940D32A0C7B4DCC09740
                                                                    APIs
                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 024F69E5
                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 024F6A26
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 024F6A3A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 024F6BD8
                                                                      • Part of subcall function 024FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024F1DCF,?), ref: 024FEEA8
                                                                      • Part of subcall function 024FEE95: HeapFree.KERNEL32(00000000), ref: 024FEEAF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                    • String ID:
                                                                    • API String ID: 3384756699-0
                                                                    • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                    • Instruction ID: 938147c7c0cc6e4ac267dfe4d3b18324f6311335e6d7007dcd3517a4f118d760
                                                                    • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                    • Instruction Fuzzy Hash: 9F712971D0022DEFDF11DFA4CD80AEEBBB9FB44314F11456AE625A6290D7309E92CB60
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf
                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                    • API String ID: 2111968516-120809033
                                                                    • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                    • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                    • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                    • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024F41AB
                                                                    • GetLastError.KERNEL32 ref: 024F41B5
                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 024F41C6
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024F41D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                    • String ID:
                                                                    • API String ID: 3373104450-0
                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction ID: e25839bc1c0ccd4d78a83f97f8c62893c935e49a87f215d732c3eda93b177f8d
                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction Fuzzy Hash: B701E97651110EABDF02DF90EE88BEF7B6CEB18255F004062FA01E2150DB70AB548BB5
                                                                    APIs
                                                                    • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024F421F
                                                                    • GetLastError.KERNEL32 ref: 024F4229
                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 024F423A
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024F424D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                    • String ID:
                                                                    • API String ID: 888215731-0
                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction ID: f81c76ef026897eaab91a6c462a0c3af0e84f051b9661b6027abee0e54737243
                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction Fuzzy Hash: 1A010872511109AFDF41DF90ED84BEF7BACEB48295F018062FA01E6150DB70DA548BB6
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                    • GetLastError.KERNEL32 ref: 00403F4E
                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                    • String ID:
                                                                    • API String ID: 3373104450-0
                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                    APIs
                                                                    • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                    • GetLastError.KERNEL32 ref: 00403FC2
                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                    • String ID:
                                                                    • API String ID: 888215731-0
                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                    APIs
                                                                    • lstrcmp.KERNEL32(?,80000009), ref: 024FE066
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp
                                                                    • String ID: A$ A$ A
                                                                    • API String ID: 1534048567-1846390581
                                                                    • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                    • Instruction ID: 5e63c1852aae49fa7618872449b59412900e7ec915620f9e5e5c56066fc0d285
                                                                    • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                    • Instruction Fuzzy Hash: 04F062313007229FCB60CF25D884A83B7E9FB85326B54872BE654C3A70D374A499CF55
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                    • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                    • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                    • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                    • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                    • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00404E9E
                                                                    • GetTickCount.KERNEL32 ref: 00404EAD
                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                    • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                    • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                    • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00404BDD
                                                                    • GetTickCount.KERNEL32 ref: 00404BEC
                                                                    • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                    • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                    • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                    • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                    • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00403103
                                                                    • GetTickCount.KERNEL32 ref: 0040310F
                                                                    • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                    • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                    • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                    • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000001,024F44E2,00000000,00000000,00000000), ref: 024FE470
                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 024FE484
                                                                      • Part of subcall function 024FE2FC: RegCreateKeyExA.ADVAPI32(80000001,024FE50A,00000000,00000000,00000000,00020106,00000000,024FE50A,00000000,000000E4), ref: 024FE319
                                                                      • Part of subcall function 024FE2FC: RegSetValueExA.ADVAPI32(024FE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024FE38E
                                                                      • Part of subcall function 024FE2FC: RegDeleteValueA.ADVAPI32(024FE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 024FE3BF
                                                                      • Part of subcall function 024FE2FC: RegCloseKey.ADVAPI32(024FE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,024FE50A), ref: 024FE3C8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 4151426672-2980165447
                                                                    • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                    • Instruction ID: 12f92d1e6ffa49b3f22b36c3ec4cf179d717c8d76239e420104044f3e4bdf30a
                                                                    • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                    • Instruction Fuzzy Hash: E941DA71E00208BAEB60AF928C45FDB3B6CDB84725F14802BFF09941B1E7B58650DEB5
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                    • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                      • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                      • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                      • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 4151426672-2980165447
                                                                    • Opcode ID: c045c498aada669352df22a1777108d7d540d58746e4c3ccf69df76ec8d8be56
                                                                    • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                    • Opcode Fuzzy Hash: c045c498aada669352df22a1777108d7d540d58746e4c3ccf69df76ec8d8be56
                                                                    • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 024F83C6
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 024F8477
                                                                      • Part of subcall function 024F69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 024F69E5
                                                                      • Part of subcall function 024F69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 024F6A26
                                                                      • Part of subcall function 024F69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 024F6A3A
                                                                      • Part of subcall function 024FEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024F1DCF,?), ref: 024FEEA8
                                                                      • Part of subcall function 024FEE95: HeapFree.KERNEL32(00000000), ref: 024FEEAF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 359188348-2980165447
                                                                    • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                    • Instruction ID: 57e0a585f8af466b2f18bf718e8c77468ceb7bd7ee470d275e9e35f15bae483d
                                                                    • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                    • Instruction Fuzzy Hash: FD4181B2900109BFEB50EBA19E80EFF777DEB84304F0444ABE704DA150F7B05A988B60
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,024FE859,00000000,00020119,024FE859,PromptOnSecureDesktop), ref: 024FE64D
                                                                    • RegCloseKey.ADVAPI32(024FE859,?,?,?,?,000000C8,000000E4), ref: 024FE787
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpen
                                                                    • String ID: PromptOnSecureDesktop
                                                                    • API String ID: 47109696-2980165447
                                                                    • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                    • Instruction ID: cf0fb49311caa2fb2f9fc466635ac6bebc3864c9587d0ef4ade94ddb3ec17880
                                                                    • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                    • Instruction Fuzzy Hash: 0F4108B2E0011DBFDF51EF95DC80EEEBBB9FB44705F144466EA00A6260E3719A558B60
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 024FAFFF
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 024FB00D
                                                                      • Part of subcall function 024FAF6F: gethostname.WS2_32(?,00000080), ref: 024FAF83
                                                                      • Part of subcall function 024FAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 024FAFE6
                                                                      • Part of subcall function 024F331C: gethostname.WS2_32(?,00000080), ref: 024F333F
                                                                      • Part of subcall function 024F331C: gethostbyname.WS2_32(?), ref: 024F3349
                                                                      • Part of subcall function 024FAA0A: inet_ntoa.WS2_32(00000000), ref: 024FAA10
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                    • String ID: %OUTLOOK_BND_
                                                                    • API String ID: 1981676241-3684217054
                                                                    • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                    • Instruction ID: 6c67656ecfee36a0685cebd46c3c3f7ec0befaaf91a2ae693f1d92d93231ff67
                                                                    • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                    • Instruction Fuzzy Hash: 3E41607290020CAFDB61EFA1DC45EEE3B6DFF48304F14442BFA2592151EA75EA448F54
                                                                    APIs
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 024F9536
                                                                    • Sleep.KERNEL32(000001F4), ref: 024F955D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShellSleep
                                                                    • String ID:
                                                                    • API String ID: 4194306370-3916222277
                                                                    • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                    • Instruction ID: 3d3aaffe0af8942e09e337ea3c7125b716f914edf360eda09c4142e6ef97bae7
                                                                    • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                    • Instruction Fuzzy Hash: 1D412972C083997FEBB68B68D89C7A73FA49BC2318F1410A7D682572A2D7744981C711
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 024FB9D9
                                                                    • InterlockedIncrement.KERNEL32(00413648), ref: 024FBA3A
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 024FBA94
                                                                    • GetTickCount.KERNEL32 ref: 024FBB79
                                                                    • GetTickCount.KERNEL32 ref: 024FBB99
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 024FBE15
                                                                    • closesocket.WS2_32(00000000), ref: 024FBEB4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountIncrementInterlockedTick$closesocket
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 1869671989-2903620461
                                                                    • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                    • Instruction ID: bd667fb0036900d3adb318375d01ecf2c7cb3a80b1f8e5fe3323589bf978ea6f
                                                                    • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                    • Instruction Fuzzy Hash: 28317C71500248DFDFA5DFA5DC84AEAB7A9EB89704F20405BFB2482160EB30DA85CF10
                                                                    APIs
                                                                    Strings
                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTickwsprintf
                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                    • API String ID: 2424974917-1012700906
                                                                    • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                    • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                    • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                    • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                    APIs
                                                                      • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                      • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 3716169038-2903620461
                                                                    • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                    • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                    • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                    • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 024F70BC
                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 024F70F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountLookupUser
                                                                    • String ID: |
                                                                    • API String ID: 2370142434-2343686810
                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                    • Instruction ID: ab2670516983cca0ee6db256ebadc1ce2e6803e9dc6c1fd48acecf2f3763383d
                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                    • Instruction Fuzzy Hash: C0112A72900118EBDB52CFD4DD84ADFB7BCEB44305F1441A6E701E6294D7749B88CBA0
                                                                    APIs
                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                    • String ID: localcfg
                                                                    • API String ID: 2777991786-1857712256
                                                                    • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                    • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                    • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                    • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                    APIs
                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                    • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 224340156-2903620461
                                                                    • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                    • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                    • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                    • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                    APIs
                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                    • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                    • String ID: localcfg
                                                                    • API String ID: 2112563974-1857712256
                                                                    • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                    • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                    • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                    • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynameinet_addr
                                                                    • String ID: time_cfg
                                                                    • API String ID: 1594361348-2401304539
                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: ntdll.dll
                                                                    • API String ID: 2574300362-2227199552
                                                                    • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                    • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                    • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                    • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                    APIs
                                                                      • Part of subcall function 024F2F88: GetModuleHandleA.KERNEL32(?), ref: 024F2FA1
                                                                      • Part of subcall function 024F2F88: LoadLibraryA.KERNEL32(?), ref: 024F2FB1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 024F31DA
                                                                    • HeapFree.KERNEL32(00000000), ref: 024F31E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1729171186.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_24f0000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                    • String ID:
                                                                    • API String ID: 1017166417-0
                                                                    • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                    • Instruction ID: 8147e6e128b689361e744be1c35b16ef96e8b44771509174dceaa996af349663
                                                                    • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                    • Instruction Fuzzy Hash: AE51BE3190028AEFCB41DF64D884AFABB75FF45304F1541AAED96D7210E732DA19CB90
                                                                    APIs
                                                                      • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                    • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1727845808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.1727845808.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_dIg0MWRViP.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                    • String ID:
                                                                    • API String ID: 1017166417-0
                                                                    • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                    • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                    • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                    • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                    Execution Graph

                                                                    Execution Coverage:3.7%
                                                                    Dynamic/Decrypted Code Coverage:2%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:1564
                                                                    Total number of Limit Nodes:32
                                                                    execution_graph 14681 409961 RegisterServiceCtrlHandlerA 14682 40997d 14681->14682 14689 4099cb 14681->14689 14691 409892 14682->14691 14684 40999a 14685 4099ba 14684->14685 14686 409892 SetServiceStatus 14684->14686 14687 409892 SetServiceStatus 14685->14687 14685->14689 14688 4099aa 14686->14688 14687->14689 14688->14685 14694 4098f2 14688->14694 14692 4098c2 SetServiceStatus 14691->14692 14692->14684 14696 4098f6 14694->14696 14697 409904 Sleep 14696->14697 14699 409917 14696->14699 14702 404280 CreateEventA 14696->14702 14697->14696 14698 409915 14697->14698 14698->14699 14701 409947 14699->14701 14729 40977c 14699->14729 14701->14685 14703 4042a5 14702->14703 14704 40429d 14702->14704 14743 403ecd 14703->14743 14704->14696 14706 4042b0 14747 404000 14706->14747 14709 4043c1 CloseHandle 14709->14704 14710 4042ce 14753 403f18 WriteFile 14710->14753 14715 4043ba CloseHandle 14715->14709 14716 404318 14717 403f18 4 API calls 14716->14717 14718 404331 14717->14718 14719 403f18 4 API calls 14718->14719 14720 40434a 14719->14720 14761 40ebcc GetProcessHeap HeapAlloc 14720->14761 14723 403f18 4 API calls 14724 404389 14723->14724 14764 40ec2e 14724->14764 14727 403f8c 4 API calls 14728 40439f CloseHandle CloseHandle 14727->14728 14728->14704 14793 40ee2a 14729->14793 14732 4097bb 14732->14701 14733 4097c2 14734 4097d4 Wow64GetThreadContext 14733->14734 14735 409801 14734->14735 14736 4097f5 14734->14736 14795 40637c 14735->14795 14737 4097f6 TerminateProcess 14736->14737 14737->14732 14739 409816 14739->14737 14740 40981e WriteProcessMemory 14739->14740 14740->14736 14741 40983b Wow64SetThreadContext 14740->14741 14741->14736 14742 409858 ResumeThread 14741->14742 14742->14732 14744 403ee2 14743->14744 14745 403edc 14743->14745 14744->14706 14769 406dc2 14745->14769 14748 40400b CreateFileA 14747->14748 14749 40402c GetLastError 14748->14749 14750 404052 14748->14750 14749->14750 14751 404037 14749->14751 14750->14704 14750->14709 14750->14710 14751->14750 14752 404041 Sleep 14751->14752 14752->14748 14752->14750 14754 403f7c 14753->14754 14755 403f4e GetLastError 14753->14755 14757 403f8c ReadFile 14754->14757 14755->14754 14756 403f5b WaitForSingleObject GetOverlappedResult 14755->14756 14756->14754 14758 403ff0 14757->14758 14759 403fc2 GetLastError 14757->14759 14758->14715 14758->14716 14759->14758 14760 403fcf WaitForSingleObject GetOverlappedResult 14759->14760 14760->14758 14787 40eb74 14761->14787 14765 40ec37 14764->14765 14766 40438f 14764->14766 14790 40eba0 14765->14790 14766->14727 14770 406e24 14769->14770 14771 406dd7 14769->14771 14770->14744 14775 406cc9 14771->14775 14773 406ddc 14773->14770 14773->14773 14774 406e02 GetVolumeInformationA 14773->14774 14774->14770 14776 406cdc GetModuleHandleA GetProcAddress 14775->14776 14777 406dbe 14775->14777 14778 406d12 GetSystemDirectoryA 14776->14778 14779 406cfd 14776->14779 14777->14773 14780 406d27 GetWindowsDirectoryA 14778->14780 14781 406d1e 14778->14781 14779->14778 14782 406d8b 14779->14782 14784 406d42 14780->14784 14781->14780 14781->14782 14782->14777 14785 40ef1e lstrlenA 14784->14785 14786 40ef32 14785->14786 14786->14782 14788 40eb7b GetProcessHeap HeapSize 14787->14788 14789 404350 14787->14789 14788->14789 14789->14723 14791 40eba7 GetProcessHeap HeapSize 14790->14791 14792 40ebbf GetProcessHeap HeapFree 14790->14792 14791->14792 14792->14766 14794 409794 CreateProcessA 14793->14794 14794->14732 14794->14733 14796 406386 14795->14796 14797 40638a GetModuleHandleA VirtualAlloc 14795->14797 14796->14739 14798 4063b6 14797->14798 14802 4063f5 14797->14802 14799 4063be VirtualAllocEx 14798->14799 14800 4063d6 14799->14800 14799->14802 14801 4063df WriteProcessMemory 14800->14801 14801->14802 14802->14739 14846 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14964 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14846->14964 14848 409a95 14849 409aa3 GetModuleHandleA GetModuleFileNameA 14848->14849 14854 40a3c7 14848->14854 14861 409ac4 14849->14861 14850 40a41c CreateThread WSAStartup 15077 40e52e 14850->15077 15904 40405e CreateEventA 14850->15904 14851 409afd GetCommandLineA 14862 409b22 14851->14862 14852 40a406 DeleteFileA 14852->14854 14855 40a40d 14852->14855 14854->14850 14854->14852 14854->14855 14857 40a3ed GetLastError 14854->14857 14855->14850 14856 40a445 15096 40eaaf 14856->15096 14857->14855 14859 40a3f8 Sleep 14857->14859 14859->14852 14860 40a44d 15100 401d96 14860->15100 14861->14851 14867 409c0c 14862->14867 14873 409b47 14862->14873 14864 40a457 15148 4080c9 14864->15148 14965 4096aa 14867->14965 14877 409b96 lstrlenA 14873->14877 14879 409b58 14873->14879 14874 40a1d2 14880 40a1e3 GetCommandLineA 14874->14880 14875 409c39 14878 40a167 GetModuleHandleA GetModuleFileNameA 14875->14878 14885 404280 30 API calls 14875->14885 14877->14879 14882 409c05 ExitProcess 14878->14882 14883 40a189 14878->14883 14879->14882 14886 409bd2 14879->14886 14907 40a205 14880->14907 14883->14882 14892 40a1b2 GetDriveTypeA 14883->14892 14888 409c5b 14885->14888 15023 40675c 14886->15023 14888->14878 14893 40675c 21 API calls 14888->14893 14892->14882 14894 40a1c5 14892->14894 14895 409c79 14893->14895 15069 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14894->15069 14895->14878 14902 409ca0 GetTempPathA 14895->14902 14903 409e3e 14895->14903 14897 409bff 14897->14882 14899 40a491 14900 40a49f GetTickCount 14899->14900 14904 40a4be Sleep 14899->14904 14906 40a4b7 GetTickCount 14899->14906 15194 40c913 14899->15194 14900->14899 14900->14904 14902->14903 14905 409cba 14902->14905 14913 409e6b GetEnvironmentVariableA 14903->14913 14914 409e04 14903->14914 14904->14899 14973 4099d2 lstrcpyA 14905->14973 14906->14904 14910 40a285 lstrlenA 14907->14910 14924 40a239 14907->14924 14909 40ec2e codecvt 4 API calls 14912 40a15d 14909->14912 14910->14924 14912->14878 14912->14882 14913->14914 14915 409e7d 14913->14915 14914->14909 14916 4099d2 16 API calls 14915->14916 14918 409e9d 14916->14918 14917 409cee 14919 406dc2 6 API calls 14917->14919 14936 409cf6 14917->14936 14918->14914 14923 409eb0 lstrcpyA lstrlenA 14918->14923 14921 409d5f 14919->14921 14926 406cc9 5 API calls 14921->14926 14922 40a3c2 14927 4098f2 41 API calls 14922->14927 14925 409ef4 14923->14925 15019 406ec3 14924->15019 14928 406dc2 6 API calls 14925->14928 14931 409f03 14925->14931 14930 409d72 lstrcpyA lstrcatA lstrcatA 14926->14930 14927->14854 14928->14931 14929 40a39d StartServiceCtrlDispatcherA 14929->14922 14932 409da5 14930->14932 14933 409f32 RegOpenKeyExA 14931->14933 14932->14936 14980 409326 14932->14980 14935 409f48 RegSetValueExA RegCloseKey 14933->14935 14939 409f70 14933->14939 14934 40a35f 14934->14922 14934->14929 14935->14939 14936->14932 14944 409f9d GetModuleHandleA GetModuleFileNameA 14939->14944 14940 409e0c DeleteFileA 14940->14903 14941 409dde GetFileAttributesExA 14941->14940 14942 409df7 14941->14942 14942->14914 15061 4096ff 14942->15061 14946 409fc2 14944->14946 14947 40a093 14944->14947 14946->14947 14953 409ff1 GetDriveTypeA 14946->14953 14948 40a103 CreateProcessA 14947->14948 14949 40a0a4 wsprintfA 14947->14949 14950 40a13a 14948->14950 14951 40a12a DeleteFileA 14948->14951 15067 402544 14949->15067 14950->14914 14956 4096ff 3 API calls 14950->14956 14951->14950 14953->14947 14955 40a00d 14953->14955 14959 40a02d lstrcatA 14955->14959 14956->14914 14957 40ee2a 14958 40a0ec lstrcatA 14957->14958 14958->14948 14960 40a046 14959->14960 14961 40a052 lstrcatA 14960->14961 14962 40a064 lstrcatA 14960->14962 14961->14962 14962->14947 14963 40a081 lstrcatA 14962->14963 14963->14947 14964->14848 14966 4096b9 14965->14966 15297 4073ff 14966->15297 14968 4096e2 14969 4096e9 14968->14969 14970 4096fa 14968->14970 15317 40704c 14969->15317 14970->14874 14970->14875 14972 4096f7 14972->14970 14974 4099eb 14973->14974 14975 409a2f lstrcatA 14974->14975 14976 40ee2a 14975->14976 14977 409a4b lstrcatA 14976->14977 14978 406a60 13 API calls 14977->14978 14979 409a60 14978->14979 14979->14903 14979->14917 15342 401910 14980->15342 14983 40934a GetModuleHandleA GetModuleFileNameA 14985 40937f 14983->14985 14986 4093a4 14985->14986 14987 4093d9 14985->14987 14988 4093c3 wsprintfA 14986->14988 14989 409401 wsprintfA 14987->14989 14991 409415 14988->14991 14989->14991 14990 4094a0 15344 406edd 14990->15344 14991->14990 14994 406cc9 5 API calls 14991->14994 14993 4094ac 14995 40962f 14993->14995 14996 4094e8 RegOpenKeyExA 14993->14996 15000 409439 14994->15000 14997 40966d 14995->14997 15365 401820 14995->15365 14998 409502 14996->14998 14999 4094fb 14996->14999 15371 4091eb 14997->15371 15004 40951f RegQueryValueExA 14998->15004 14999->14995 15007 40958a 14999->15007 15005 40ef1e lstrlenA 15000->15005 15002 409646 15002->14997 15013 4095d6 15002->15013 15008 409530 15004->15008 15009 409539 15004->15009 15010 409462 15005->15010 15007->14997 15011 409593 15007->15011 15012 40956e RegCloseKey 15008->15012 15014 409556 RegQueryValueExA 15009->15014 15015 40947e wsprintfA 15010->15015 15011->15013 15352 40f0e4 15011->15352 15012->14999 15013->14940 15013->14941 15014->15008 15014->15012 15015->14990 15017 4095bb 15017->15013 15359 4018e0 15017->15359 15020 406ecc 15019->15020 15022 406ed5 15019->15022 15021 406e36 2 API calls 15020->15021 15021->15022 15022->14934 15024 406784 CreateFileA 15023->15024 15025 40677a SetFileAttributesA 15023->15025 15026 4067a4 CreateFileA 15024->15026 15027 4067b5 15024->15027 15025->15024 15026->15027 15028 4067c5 15027->15028 15029 4067ba SetFileAttributesA 15027->15029 15030 406977 15028->15030 15031 4067cf GetFileSize 15028->15031 15029->15028 15030->14882 15048 406a60 CreateFileA 15030->15048 15032 4067e5 15031->15032 15046 406922 15031->15046 15034 4067ed ReadFile 15032->15034 15032->15046 15033 40696e CloseHandle 15033->15030 15035 406811 SetFilePointer 15034->15035 15034->15046 15036 40682a ReadFile 15035->15036 15035->15046 15037 406848 SetFilePointer 15036->15037 15036->15046 15038 406867 15037->15038 15037->15046 15039 406878 ReadFile 15038->15039 15043 4068d0 15038->15043 15039->15038 15039->15043 15040 40ebcc 4 API calls 15041 4068f8 15040->15041 15042 406900 SetFilePointer 15041->15042 15041->15046 15044 40695a 15042->15044 15045 40690d ReadFile 15042->15045 15043->15033 15043->15040 15047 40ec2e codecvt 4 API calls 15044->15047 15045->15044 15045->15046 15046->15033 15047->15046 15049 406b8c GetLastError 15048->15049 15050 406a8f GetDiskFreeSpaceA 15048->15050 15059 406b86 15049->15059 15051 406ac5 15050->15051 15060 406ad7 15050->15060 15412 40eb0e 15051->15412 15055 406b56 CloseHandle 15058 406b65 GetLastError CloseHandle 15055->15058 15055->15059 15056 406b36 GetLastError CloseHandle 15057 406b7f DeleteFileA 15056->15057 15057->15059 15058->15057 15059->14897 15416 406987 15060->15416 15062 402544 15061->15062 15063 40972d RegOpenKeyExA 15062->15063 15064 409740 15063->15064 15065 409765 15063->15065 15066 40974f RegDeleteValueA RegCloseKey 15064->15066 15065->14914 15066->15065 15068 402554 lstrcatA 15067->15068 15068->14957 15070 402544 15069->15070 15071 40919e wsprintfA 15070->15071 15072 4091bb 15071->15072 15426 409064 GetTempPathA 15072->15426 15075 4091d5 ShellExecuteA 15076 4091e7 15075->15076 15076->14897 15433 40dd05 GetTickCount 15077->15433 15079 40e538 15440 40dbcf 15079->15440 15081 40e544 15082 40e555 GetFileSize 15081->15082 15087 40e5b8 15081->15087 15083 40e5b1 CloseHandle 15082->15083 15084 40e566 15082->15084 15083->15087 15450 40db2e 15084->15450 15459 40e3ca RegOpenKeyExA 15087->15459 15088 40e576 ReadFile 15088->15083 15090 40e58d 15088->15090 15454 40e332 15090->15454 15092 40e5f2 15094 40e3ca 19 API calls 15092->15094 15095 40e629 15092->15095 15094->15095 15095->14856 15097 40eabe 15096->15097 15099 40eaba 15096->15099 15098 40dd05 6 API calls 15097->15098 15097->15099 15098->15099 15099->14860 15101 40ee2a 15100->15101 15102 401db4 GetVersionExA 15101->15102 15103 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15102->15103 15105 401e24 15103->15105 15106 401e16 GetCurrentProcess 15103->15106 15512 40e819 15105->15512 15106->15105 15108 401e3d 15109 40e819 11 API calls 15108->15109 15110 401e4e 15109->15110 15111 401e77 15110->15111 15519 40df70 15110->15519 15528 40ea84 15111->15528 15114 401e6c 15116 40df70 12 API calls 15114->15116 15116->15111 15117 40e819 11 API calls 15118 401e93 15117->15118 15532 40199c inet_addr LoadLibraryA 15118->15532 15121 40e819 11 API calls 15122 401eb9 15121->15122 15123 401ed8 15122->15123 15124 40f04e 4 API calls 15122->15124 15125 40e819 11 API calls 15123->15125 15126 401ec9 15124->15126 15127 401eee 15125->15127 15128 40ea84 30 API calls 15126->15128 15129 401f0a 15127->15129 15545 401b71 15127->15545 15128->15123 15130 40e819 11 API calls 15129->15130 15132 401f23 15130->15132 15134 401f3f 15132->15134 15549 401bdf 15132->15549 15133 401efd 15135 40ea84 30 API calls 15133->15135 15137 40e819 11 API calls 15134->15137 15135->15129 15139 401f5e 15137->15139 15141 401f77 15139->15141 15142 40ea84 30 API calls 15139->15142 15140 40ea84 30 API calls 15140->15134 15556 4030b5 15141->15556 15142->15141 15145 406ec3 2 API calls 15147 401f8e GetTickCount 15145->15147 15147->14864 15149 406ec3 2 API calls 15148->15149 15150 4080eb 15149->15150 15151 4080f9 15150->15151 15152 4080ef 15150->15152 15154 40704c 16 API calls 15151->15154 15604 407ee6 15152->15604 15155 408110 15154->15155 15157 408156 RegOpenKeyExA 15155->15157 15158 4080f4 15155->15158 15156 40675c 21 API calls 15161 408244 15156->15161 15157->15158 15159 40816d RegQueryValueExA 15157->15159 15158->15156 15167 408269 CreateThread 15158->15167 15160 4081f7 15159->15160 15165 40818d 15159->15165 15162 40820d RegCloseKey 15160->15162 15164 40ec2e codecvt 4 API calls 15160->15164 15163 40ec2e codecvt 4 API calls 15161->15163 15161->15167 15162->15158 15163->15167 15172 4081dd 15164->15172 15165->15160 15166 40ebcc 4 API calls 15165->15166 15168 4081a0 15166->15168 15173 405e6c 15167->15173 15933 40877e 15167->15933 15168->15162 15169 4081aa RegQueryValueExA 15168->15169 15169->15160 15170 4081c4 15169->15170 15171 40ebcc 4 API calls 15170->15171 15171->15172 15172->15162 15672 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15173->15672 15175 405e71 15673 40e654 15175->15673 15177 405ec1 15178 403132 15177->15178 15179 40df70 12 API calls 15178->15179 15180 40313b 15179->15180 15181 40c125 15180->15181 15684 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15181->15684 15183 40c12d 15184 40e654 13 API calls 15183->15184 15185 40c2bd 15184->15185 15186 40e654 13 API calls 15185->15186 15187 40c2c9 15186->15187 15188 40e654 13 API calls 15187->15188 15189 40a47a 15188->15189 15190 408db1 15189->15190 15191 408dbc 15190->15191 15192 40e654 13 API calls 15191->15192 15193 408dec Sleep 15192->15193 15193->14899 15195 40c92f 15194->15195 15196 40c93c 15195->15196 15685 40c517 15195->15685 15198 40ca2b 15196->15198 15199 40e819 11 API calls 15196->15199 15198->14899 15200 40c96a 15199->15200 15201 40e819 11 API calls 15200->15201 15202 40c97d 15201->15202 15203 40e819 11 API calls 15202->15203 15204 40c990 15203->15204 15205 40c9aa 15204->15205 15206 40ebcc 4 API calls 15204->15206 15205->15198 15702 402684 15205->15702 15206->15205 15211 40ca26 15709 40c8aa 15211->15709 15214 40ca44 15215 40ca4b closesocket 15214->15215 15216 40ca83 15214->15216 15215->15211 15217 40ea84 30 API calls 15216->15217 15218 40caac 15217->15218 15219 40f04e 4 API calls 15218->15219 15220 40cab2 15219->15220 15221 40ea84 30 API calls 15220->15221 15222 40caca 15221->15222 15223 40ea84 30 API calls 15222->15223 15224 40cad9 15223->15224 15717 40c65c 15224->15717 15227 40cb60 closesocket 15227->15198 15229 40dad2 closesocket 15230 40e318 23 API calls 15229->15230 15230->15198 15231 40df4c 20 API calls 15254 40cb70 15231->15254 15236 40e654 13 API calls 15236->15254 15242 40ea84 30 API calls 15242->15254 15243 40d569 closesocket Sleep 15764 40e318 15243->15764 15244 40d815 wsprintfA 15244->15254 15245 40cc1c GetTempPathA 15245->15254 15246 407ead 6 API calls 15246->15254 15247 40c517 23 API calls 15247->15254 15249 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15249->15254 15250 40e8a1 30 API calls 15250->15254 15251 40d582 ExitProcess 15252 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15252->15254 15253 40cfe3 GetSystemDirectoryA 15253->15254 15254->15229 15254->15231 15254->15236 15254->15242 15254->15243 15254->15244 15254->15245 15254->15246 15254->15247 15254->15249 15254->15250 15254->15252 15254->15253 15255 40cfad GetEnvironmentVariableA 15254->15255 15256 40675c 21 API calls 15254->15256 15257 40d027 GetSystemDirectoryA 15254->15257 15258 40d105 lstrcatA 15254->15258 15259 40ef1e lstrlenA 15254->15259 15260 40cc9f CreateFileA 15254->15260 15261 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15254->15261 15263 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15254->15263 15264 40d15b CreateFileA 15254->15264 15269 40d149 SetFileAttributesA 15254->15269 15270 40d36e GetEnvironmentVariableA 15254->15270 15271 40d1bf SetFileAttributesA 15254->15271 15273 40d22d GetEnvironmentVariableA 15254->15273 15274 40d3af lstrcatA 15254->15274 15276 40d3f2 CreateFileA 15254->15276 15278 407fcf 64 API calls 15254->15278 15284 40d4b1 CreateProcessA 15254->15284 15285 40d3e0 SetFileAttributesA 15254->15285 15286 40d26e lstrcatA 15254->15286 15289 40d2b1 CreateFileA 15254->15289 15290 407ee6 64 API calls 15254->15290 15291 40d452 SetFileAttributesA 15254->15291 15294 40d29f SetFileAttributesA 15254->15294 15296 40d31d SetFileAttributesA 15254->15296 15725 40c75d 15254->15725 15737 407e2f 15254->15737 15759 407ead 15254->15759 15769 4031d0 15254->15769 15786 403c09 15254->15786 15796 403a00 15254->15796 15800 40e7b4 15254->15800 15803 40c06c 15254->15803 15809 406f5f GetUserNameA 15254->15809 15820 40e854 15254->15820 15830 407dd6 15254->15830 15255->15254 15256->15254 15257->15254 15258->15254 15259->15254 15260->15254 15262 40ccc6 WriteFile 15260->15262 15261->15254 15265 40cdcc CloseHandle 15262->15265 15266 40cced CloseHandle 15262->15266 15263->15254 15264->15254 15267 40d182 WriteFile CloseHandle 15264->15267 15265->15254 15272 40cd2f 15266->15272 15267->15254 15268 40cd16 wsprintfA 15268->15272 15269->15264 15270->15254 15271->15254 15272->15268 15746 407fcf 15272->15746 15273->15254 15274->15254 15274->15276 15276->15254 15279 40d415 WriteFile CloseHandle 15276->15279 15278->15254 15279->15254 15280 40cd81 WaitForSingleObject CloseHandle CloseHandle 15282 40f04e 4 API calls 15280->15282 15281 40cda5 15283 407ee6 64 API calls 15281->15283 15282->15281 15287 40cdbd DeleteFileA 15283->15287 15284->15254 15288 40d4e8 CloseHandle CloseHandle 15284->15288 15285->15276 15286->15254 15286->15289 15287->15254 15288->15254 15289->15254 15292 40d2d8 WriteFile CloseHandle 15289->15292 15290->15254 15291->15254 15292->15254 15294->15289 15296->15254 15298 40741b 15297->15298 15299 406dc2 6 API calls 15298->15299 15300 40743f 15299->15300 15301 407469 RegOpenKeyExA 15300->15301 15303 4077f9 15301->15303 15312 407487 ___ascii_stricmp 15301->15312 15302 407703 RegEnumKeyA 15304 407714 RegCloseKey 15302->15304 15302->15312 15303->14968 15304->15303 15305 4074d2 RegOpenKeyExA 15305->15312 15306 40772c 15308 407742 RegCloseKey 15306->15308 15309 40774b 15306->15309 15307 407521 RegQueryValueExA 15307->15312 15308->15309 15310 4077ec RegCloseKey 15309->15310 15310->15303 15311 4076e4 RegCloseKey 15311->15312 15312->15302 15312->15305 15312->15306 15312->15307 15312->15311 15314 40f1a5 lstrlenA 15312->15314 15315 40777e GetFileAttributesExA 15312->15315 15316 407769 15312->15316 15313 4077e3 RegCloseKey 15313->15310 15314->15312 15315->15316 15316->15313 15318 407073 15317->15318 15319 4070b9 RegOpenKeyExA 15318->15319 15320 4070d0 15319->15320 15334 4071b8 15319->15334 15321 406dc2 6 API calls 15320->15321 15324 4070d5 15321->15324 15322 40719b RegEnumValueA 15323 4071af RegCloseKey 15322->15323 15322->15324 15323->15334 15324->15322 15326 4071d0 15324->15326 15340 40f1a5 lstrlenA 15324->15340 15327 407205 RegCloseKey 15326->15327 15328 407227 15326->15328 15327->15334 15329 4072b8 ___ascii_stricmp 15328->15329 15330 40728e RegCloseKey 15328->15330 15331 4072cd RegCloseKey 15329->15331 15332 4072dd 15329->15332 15330->15334 15331->15334 15333 407311 RegCloseKey 15332->15333 15336 407335 15332->15336 15333->15334 15334->14972 15335 4073d5 RegCloseKey 15337 4073e4 15335->15337 15336->15335 15338 40737e GetFileAttributesExA 15336->15338 15339 407397 15336->15339 15338->15339 15339->15335 15341 40f1c3 15340->15341 15341->15324 15343 401924 GetVersionExA 15342->15343 15343->14983 15345 406eef AllocateAndInitializeSid 15344->15345 15351 406f55 15344->15351 15346 406f44 15345->15346 15347 406f1c CheckTokenMembership 15345->15347 15346->15351 15376 406e36 GetUserNameW 15346->15376 15348 406f3b FreeSid 15347->15348 15349 406f2e 15347->15349 15348->15346 15349->15348 15351->14993 15353 40f0f1 15352->15353 15354 40f0ed 15352->15354 15355 40f119 15353->15355 15356 40f0fa lstrlenA SysAllocStringByteLen 15353->15356 15354->15017 15358 40f11c MultiByteToWideChar 15355->15358 15357 40f117 15356->15357 15356->15358 15357->15017 15358->15357 15360 401820 17 API calls 15359->15360 15361 4018f2 15360->15361 15362 4018f9 15361->15362 15379 401280 15361->15379 15362->15013 15364 401908 15364->15013 15391 401000 15365->15391 15367 401839 15368 401851 GetCurrentProcess 15367->15368 15369 40183d 15367->15369 15370 401864 15368->15370 15369->15002 15370->15002 15372 409308 15371->15372 15374 40920e 15371->15374 15372->15013 15373 4092f1 Sleep 15373->15374 15374->15372 15374->15373 15375 4092bf ShellExecuteA 15374->15375 15375->15372 15375->15374 15377 406e5f LookupAccountNameW 15376->15377 15378 406e97 15376->15378 15377->15378 15378->15351 15380 4012e1 15379->15380 15381 4016f9 GetLastError 15380->15381 15388 4013a8 15380->15388 15382 401699 15381->15382 15382->15364 15383 401570 lstrlenW 15383->15388 15384 4015be GetStartupInfoW 15384->15388 15385 4015ff CreateProcessWithLogonW 15386 4016bf GetLastError 15385->15386 15387 40163f WaitForSingleObject 15385->15387 15386->15382 15387->15388 15389 401659 CloseHandle 15387->15389 15388->15382 15388->15383 15388->15384 15388->15385 15390 401668 CloseHandle 15388->15390 15389->15388 15390->15388 15392 40100d LoadLibraryA 15391->15392 15403 401023 15391->15403 15393 401021 15392->15393 15392->15403 15393->15367 15394 4010b5 GetProcAddress 15395 4010d1 GetProcAddress 15394->15395 15396 40127b 15394->15396 15395->15396 15397 4010f0 GetProcAddress 15395->15397 15396->15367 15397->15396 15398 401110 GetProcAddress 15397->15398 15398->15396 15399 401130 GetProcAddress 15398->15399 15399->15396 15400 40114f GetProcAddress 15399->15400 15400->15396 15401 40116f GetProcAddress 15400->15401 15401->15396 15402 40118f GetProcAddress 15401->15402 15402->15396 15404 4011ae GetProcAddress 15402->15404 15403->15394 15411 4010ae 15403->15411 15404->15396 15405 4011ce GetProcAddress 15404->15405 15405->15396 15406 4011ee GetProcAddress 15405->15406 15406->15396 15407 401209 GetProcAddress 15406->15407 15407->15396 15408 401225 GetProcAddress 15407->15408 15408->15396 15409 401241 GetProcAddress 15408->15409 15409->15396 15410 40125c GetProcAddress 15409->15410 15410->15396 15411->15367 15413 40eb17 15412->15413 15414 40eb21 15412->15414 15422 40eae4 15413->15422 15414->15060 15418 4069b9 WriteFile 15416->15418 15419 406a3c 15418->15419 15421 4069ff 15418->15421 15419->15055 15419->15056 15420 406a10 WriteFile 15420->15419 15420->15421 15421->15419 15421->15420 15423 40eb02 GetProcAddress 15422->15423 15424 40eaed LoadLibraryA 15422->15424 15423->15414 15424->15423 15425 40eb01 15424->15425 15425->15414 15427 40908d 15426->15427 15428 4090e2 wsprintfA 15427->15428 15429 40ee2a 15428->15429 15430 4090fd CreateFileA 15429->15430 15431 40911a lstrlenA WriteFile CloseHandle 15430->15431 15432 40913f 15430->15432 15431->15432 15432->15075 15432->15076 15434 40dd41 InterlockedExchange 15433->15434 15435 40dd20 GetCurrentThreadId 15434->15435 15439 40dd4a 15434->15439 15436 40dd53 GetCurrentThreadId 15435->15436 15437 40dd2e GetTickCount 15435->15437 15436->15079 15438 40dd39 Sleep 15437->15438 15437->15439 15438->15434 15439->15436 15441 40dbf0 15440->15441 15473 40db67 GetEnvironmentVariableA 15441->15473 15443 40dc19 15444 40dcda 15443->15444 15445 40db67 3 API calls 15443->15445 15444->15081 15446 40dc5c 15445->15446 15446->15444 15447 40db67 3 API calls 15446->15447 15448 40dc9b 15447->15448 15448->15444 15449 40db67 3 API calls 15448->15449 15449->15444 15451 40db55 15450->15451 15452 40db3a 15450->15452 15451->15083 15451->15088 15477 40ebed 15452->15477 15486 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15454->15486 15456 40e3be 15456->15083 15458 40e342 15458->15456 15489 40de24 15458->15489 15460 40e528 15459->15460 15461 40e3f4 15459->15461 15460->15092 15462 40e434 RegQueryValueExA 15461->15462 15463 40e458 15462->15463 15464 40e51d RegCloseKey 15462->15464 15465 40e46e RegQueryValueExA 15463->15465 15464->15460 15465->15463 15466 40e488 15465->15466 15466->15464 15467 40db2e 8 API calls 15466->15467 15468 40e499 15467->15468 15468->15464 15469 40e4b9 RegQueryValueExA 15468->15469 15470 40e4e8 15468->15470 15469->15468 15469->15470 15470->15464 15471 40e332 14 API calls 15470->15471 15472 40e513 15471->15472 15472->15464 15474 40dbca 15473->15474 15476 40db89 lstrcpyA CreateFileA 15473->15476 15474->15443 15476->15443 15478 40ec01 15477->15478 15479 40ebf6 15477->15479 15481 40eba0 codecvt 2 API calls 15478->15481 15480 40ebcc 4 API calls 15479->15480 15482 40ebfe 15480->15482 15483 40ec0a GetProcessHeap HeapReAlloc 15481->15483 15482->15451 15484 40eb74 2 API calls 15483->15484 15485 40ec28 15484->15485 15485->15451 15500 40eb41 15486->15500 15490 40de3a 15489->15490 15496 40de4e 15490->15496 15504 40dd84 15490->15504 15493 40ebed 8 API calls 15498 40def6 15493->15498 15494 40de9e 15494->15493 15494->15496 15495 40de76 15508 40ddcf 15495->15508 15496->15458 15498->15496 15499 40ddcf lstrcmpA 15498->15499 15499->15496 15501 40eb54 15500->15501 15502 40eb4a 15500->15502 15501->15458 15503 40eae4 2 API calls 15502->15503 15503->15501 15505 40ddc5 15504->15505 15506 40dd96 15504->15506 15505->15494 15505->15495 15506->15505 15507 40ddad lstrcmpiA 15506->15507 15507->15505 15507->15506 15509 40dddd 15508->15509 15511 40de20 15508->15511 15510 40ddfa lstrcmpA 15509->15510 15509->15511 15510->15509 15511->15496 15513 40dd05 6 API calls 15512->15513 15514 40e821 15513->15514 15515 40dd84 lstrcmpiA 15514->15515 15516 40e82c 15515->15516 15517 40e844 15516->15517 15560 402480 15516->15560 15517->15108 15520 40dd05 6 API calls 15519->15520 15521 40df7c 15520->15521 15522 40dd84 lstrcmpiA 15521->15522 15526 40df89 15522->15526 15523 40dfc4 15523->15114 15524 40ddcf lstrcmpA 15524->15526 15525 40ec2e codecvt 4 API calls 15525->15526 15526->15523 15526->15524 15526->15525 15527 40dd84 lstrcmpiA 15526->15527 15527->15526 15529 40ea98 15528->15529 15569 40e8a1 15529->15569 15531 401e84 15531->15117 15533 4019d5 GetProcAddress GetProcAddress GetProcAddress 15532->15533 15534 4019ce 15532->15534 15535 401ab3 FreeLibrary 15533->15535 15536 401a04 15533->15536 15534->15121 15535->15534 15536->15535 15537 401a14 GetProcessHeap 15536->15537 15537->15534 15539 401a2e HeapAlloc 15537->15539 15539->15534 15540 401a42 15539->15540 15541 401a52 HeapReAlloc 15540->15541 15543 401a62 15540->15543 15541->15543 15542 401aa1 FreeLibrary 15542->15534 15543->15542 15544 401a96 HeapFree 15543->15544 15544->15542 15597 401ac3 LoadLibraryA 15545->15597 15548 401bcf 15548->15133 15550 401ac3 12 API calls 15549->15550 15551 401c09 15550->15551 15552 401c0d GetComputerNameA 15551->15552 15555 401c41 15551->15555 15553 401c45 GetVolumeInformationA 15552->15553 15554 401c1f 15552->15554 15553->15555 15554->15553 15554->15555 15555->15140 15557 40ee2a 15556->15557 15558 4030d0 gethostname gethostbyname 15557->15558 15559 401f82 15558->15559 15559->15145 15559->15147 15563 402419 lstrlenA 15560->15563 15562 402491 15562->15517 15564 402474 15563->15564 15565 40243d lstrlenA 15563->15565 15564->15562 15566 402464 lstrlenA 15565->15566 15567 40244e lstrcmpiA 15565->15567 15566->15564 15566->15565 15567->15566 15568 40245c 15567->15568 15568->15564 15568->15566 15570 40dd05 6 API calls 15569->15570 15571 40e8b4 15570->15571 15572 40dd84 lstrcmpiA 15571->15572 15573 40e8c0 15572->15573 15574 40e90a 15573->15574 15575 40e8c8 lstrcpynA 15573->15575 15576 402419 4 API calls 15574->15576 15585 40ea27 15574->15585 15577 40e8f5 15575->15577 15578 40e926 lstrlenA lstrlenA 15576->15578 15590 40df4c 15577->15590 15579 40e96a 15578->15579 15580 40e94c lstrlenA 15578->15580 15584 40ebcc 4 API calls 15579->15584 15579->15585 15580->15579 15582 40e901 15583 40dd84 lstrcmpiA 15582->15583 15583->15574 15586 40e98f 15584->15586 15585->15531 15586->15585 15587 40df4c 20 API calls 15586->15587 15588 40ea1e 15587->15588 15589 40ec2e codecvt 4 API calls 15588->15589 15589->15585 15591 40dd05 6 API calls 15590->15591 15592 40df51 15591->15592 15593 40f04e 4 API calls 15592->15593 15594 40df58 15593->15594 15595 40de24 10 API calls 15594->15595 15596 40df63 15595->15596 15596->15582 15598 401ae2 GetProcAddress 15597->15598 15603 401b68 GetComputerNameA GetVolumeInformationA 15597->15603 15599 401af5 15598->15599 15598->15603 15600 40ebed 8 API calls 15599->15600 15601 401b29 15599->15601 15600->15599 15601->15601 15602 40ec2e codecvt 4 API calls 15601->15602 15601->15603 15602->15603 15603->15548 15605 406ec3 2 API calls 15604->15605 15606 407ef4 15605->15606 15607 4073ff 17 API calls 15606->15607 15616 407fc9 15606->15616 15608 407f16 15607->15608 15608->15616 15617 407809 GetUserNameA 15608->15617 15610 407f63 15611 40ef1e lstrlenA 15610->15611 15610->15616 15612 407fa6 15611->15612 15613 40ef1e lstrlenA 15612->15613 15614 407fb7 15613->15614 15641 407a95 RegOpenKeyExA 15614->15641 15616->15158 15618 40783d LookupAccountNameA 15617->15618 15619 407a8d 15617->15619 15618->15619 15620 407874 GetLengthSid GetFileSecurityA 15618->15620 15619->15610 15620->15619 15621 4078a8 GetSecurityDescriptorOwner 15620->15621 15622 4078c5 EqualSid 15621->15622 15623 40791d GetSecurityDescriptorDacl 15621->15623 15622->15623 15624 4078dc LocalAlloc 15622->15624 15623->15619 15635 407941 15623->15635 15624->15623 15625 4078ef InitializeSecurityDescriptor 15624->15625 15627 407916 LocalFree 15625->15627 15628 4078fb SetSecurityDescriptorOwner 15625->15628 15626 40795b GetAce 15626->15635 15627->15623 15628->15627 15629 40790b SetFileSecurityA 15628->15629 15629->15627 15630 407980 EqualSid 15630->15635 15631 407a3d 15631->15619 15634 407a43 LocalAlloc 15631->15634 15632 4079be EqualSid 15632->15635 15633 40799d DeleteAce 15633->15635 15634->15619 15636 407a56 InitializeSecurityDescriptor 15634->15636 15635->15619 15635->15626 15635->15630 15635->15631 15635->15632 15635->15633 15637 407a62 SetSecurityDescriptorDacl 15636->15637 15638 407a86 LocalFree 15636->15638 15637->15638 15639 407a73 SetFileSecurityA 15637->15639 15638->15619 15639->15638 15640 407a83 15639->15640 15640->15638 15642 407ac4 15641->15642 15643 407acb GetUserNameA 15641->15643 15642->15616 15644 407da7 RegCloseKey 15643->15644 15645 407aed LookupAccountNameA 15643->15645 15644->15642 15645->15644 15646 407b24 RegGetKeySecurity 15645->15646 15646->15644 15647 407b49 GetSecurityDescriptorOwner 15646->15647 15648 407b63 EqualSid 15647->15648 15649 407bb8 GetSecurityDescriptorDacl 15647->15649 15648->15649 15650 407b74 LocalAlloc 15648->15650 15651 407da6 15649->15651 15652 407bdc 15649->15652 15650->15649 15653 407b8a InitializeSecurityDescriptor 15650->15653 15651->15644 15652->15651 15656 407bf8 GetAce 15652->15656 15658 407c1d EqualSid 15652->15658 15659 407c5f EqualSid 15652->15659 15660 407cd9 15652->15660 15661 407c3a DeleteAce 15652->15661 15654 407bb1 LocalFree 15653->15654 15655 407b96 SetSecurityDescriptorOwner 15653->15655 15654->15649 15655->15654 15657 407ba6 RegSetKeySecurity 15655->15657 15656->15652 15657->15654 15658->15652 15659->15652 15660->15651 15662 407d5a LocalAlloc 15660->15662 15664 407cf2 RegOpenKeyExA 15660->15664 15661->15652 15662->15651 15663 407d70 InitializeSecurityDescriptor 15662->15663 15665 407d7c SetSecurityDescriptorDacl 15663->15665 15666 407d9f LocalFree 15663->15666 15664->15662 15669 407d0f 15664->15669 15665->15666 15667 407d8c RegSetKeySecurity 15665->15667 15666->15651 15667->15666 15668 407d9c 15667->15668 15668->15666 15670 407d43 RegSetValueExA 15669->15670 15670->15662 15671 407d54 15670->15671 15671->15662 15672->15175 15674 40dd05 6 API calls 15673->15674 15677 40e65f 15674->15677 15675 40e6a5 15676 40ebcc 4 API calls 15675->15676 15682 40e6f5 15675->15682 15679 40e6b0 15676->15679 15677->15675 15678 40e68c lstrcmpA 15677->15678 15678->15677 15680 40e6b7 15679->15680 15681 40e6e0 lstrcpynA 15679->15681 15679->15682 15680->15177 15681->15682 15682->15680 15683 40e71d lstrcmpA 15682->15683 15683->15682 15684->15183 15686 40c525 15685->15686 15691 40c532 15685->15691 15689 40ec2e codecvt 4 API calls 15686->15689 15686->15691 15687 40c548 15690 40e7ff lstrcmpiA 15687->15690 15697 40c54f 15687->15697 15689->15691 15692 40c615 15690->15692 15691->15687 15837 40e7ff 15691->15837 15693 40ebcc 4 API calls 15692->15693 15692->15697 15693->15697 15694 40c5d1 15696 40ebcc 4 API calls 15694->15696 15696->15697 15697->15196 15698 40e819 11 API calls 15699 40c5b7 15698->15699 15700 40f04e 4 API calls 15699->15700 15701 40c5bf 15700->15701 15701->15687 15701->15694 15703 402692 inet_addr 15702->15703 15704 40268e 15702->15704 15703->15704 15705 40269e gethostbyname 15703->15705 15706 40f428 15704->15706 15705->15704 15840 40f315 15706->15840 15711 40c8d2 15709->15711 15710 40c907 15710->15198 15711->15710 15712 40c517 23 API calls 15711->15712 15712->15710 15713 40f43e 15714 40f473 recv 15713->15714 15715 40f47c 15714->15715 15716 40f458 15714->15716 15715->15214 15716->15714 15716->15715 15718 40c670 15717->15718 15719 40c67d 15717->15719 15720 40ebcc 4 API calls 15718->15720 15721 40c699 15719->15721 15722 40ebcc 4 API calls 15719->15722 15720->15719 15723 40c6f3 15721->15723 15724 40c73c send 15721->15724 15722->15721 15723->15227 15723->15254 15724->15723 15726 40c770 15725->15726 15727 40c77d 15725->15727 15728 40ebcc 4 API calls 15726->15728 15729 40c799 15727->15729 15730 40ebcc 4 API calls 15727->15730 15728->15727 15731 40c7b5 15729->15731 15732 40ebcc 4 API calls 15729->15732 15730->15729 15733 40f43e recv 15731->15733 15732->15731 15734 40c7cb 15733->15734 15735 40f43e recv 15734->15735 15736 40c7d3 15734->15736 15735->15736 15736->15254 15853 407db7 15737->15853 15740 40f04e 4 API calls 15742 407e4c 15740->15742 15741 40f04e 4 API calls 15743 407e96 15741->15743 15744 40f04e 4 API calls 15742->15744 15745 407e70 15742->15745 15743->15254 15744->15745 15745->15741 15745->15743 15747 406ec3 2 API calls 15746->15747 15748 407fdd 15747->15748 15749 4080c2 CreateProcessA 15748->15749 15750 4073ff 17 API calls 15748->15750 15749->15280 15749->15281 15751 407fff 15750->15751 15751->15749 15752 407809 21 API calls 15751->15752 15753 40804d 15752->15753 15753->15749 15754 40ef1e lstrlenA 15753->15754 15755 40809e 15754->15755 15756 40ef1e lstrlenA 15755->15756 15757 4080af 15756->15757 15758 407a95 24 API calls 15757->15758 15758->15749 15760 407db7 2 API calls 15759->15760 15761 407eb8 15760->15761 15762 40f04e 4 API calls 15761->15762 15763 407ece DeleteFileA 15762->15763 15763->15254 15765 40dd05 6 API calls 15764->15765 15766 40e31d 15765->15766 15857 40e177 15766->15857 15768 40e326 15768->15251 15770 4031f3 15769->15770 15780 4031ec 15769->15780 15771 40ebcc 4 API calls 15770->15771 15785 4031fc 15771->15785 15772 40344b 15773 403459 15772->15773 15774 40349d 15772->15774 15776 40f04e 4 API calls 15773->15776 15775 40ec2e codecvt 4 API calls 15774->15775 15775->15780 15777 40345f 15776->15777 15778 4030fa 4 API calls 15777->15778 15778->15780 15779 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15779->15785 15780->15254 15781 40344d 15782 40ec2e codecvt 4 API calls 15781->15782 15782->15772 15784 403141 lstrcmpiA 15784->15785 15785->15772 15785->15779 15785->15780 15785->15781 15785->15784 15883 4030fa GetTickCount 15785->15883 15787 4030fa 4 API calls 15786->15787 15788 403c1a 15787->15788 15789 403ce6 15788->15789 15888 403a72 15788->15888 15789->15254 15792 403a72 9 API calls 15795 403c5e 15792->15795 15793 403a72 9 API calls 15793->15795 15794 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15794->15795 15795->15789 15795->15793 15795->15794 15797 403a10 15796->15797 15798 4030fa 4 API calls 15797->15798 15799 403a1a 15798->15799 15799->15254 15801 40dd05 6 API calls 15800->15801 15802 40e7be 15801->15802 15802->15254 15804 40c07e wsprintfA 15803->15804 15808 40c105 15803->15808 15897 40bfce GetTickCount wsprintfA 15804->15897 15806 40c0ef 15898 40bfce GetTickCount wsprintfA 15806->15898 15808->15254 15810 407047 15809->15810 15811 406f88 LookupAccountNameA 15809->15811 15810->15254 15813 407025 15811->15813 15814 406fcb 15811->15814 15815 406edd 5 API calls 15813->15815 15817 406fdb ConvertSidToStringSidA 15814->15817 15816 40702a wsprintfA 15815->15816 15816->15810 15817->15813 15818 406ff1 15817->15818 15819 407013 LocalFree 15818->15819 15819->15813 15821 40dd05 6 API calls 15820->15821 15822 40e85c 15821->15822 15823 40dd84 lstrcmpiA 15822->15823 15824 40e867 15823->15824 15825 40e885 lstrcpyA 15824->15825 15899 4024a5 15824->15899 15902 40dd69 15825->15902 15831 407db7 2 API calls 15830->15831 15833 407de1 15831->15833 15832 407e16 15832->15254 15833->15832 15834 40f04e 4 API calls 15833->15834 15835 407df2 15834->15835 15835->15832 15836 40f04e 4 API calls 15835->15836 15836->15832 15838 40dd84 lstrcmpiA 15837->15838 15839 40c58e 15838->15839 15839->15687 15839->15694 15839->15698 15841 40ca1d 15840->15841 15842 40f33b 15840->15842 15841->15211 15841->15713 15843 40f347 htons socket 15842->15843 15844 40f382 ioctlsocket 15843->15844 15845 40f374 closesocket 15843->15845 15846 40f3aa connect select 15844->15846 15847 40f39d 15844->15847 15845->15841 15846->15841 15849 40f3f2 __WSAFDIsSet 15846->15849 15848 40f39f closesocket 15847->15848 15848->15841 15849->15848 15850 40f403 ioctlsocket 15849->15850 15852 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15850->15852 15852->15841 15854 407dc8 InterlockedExchange 15853->15854 15855 407dc0 Sleep 15854->15855 15856 407dd4 15854->15856 15855->15854 15856->15740 15856->15745 15858 40e184 15857->15858 15859 40e223 15858->15859 15871 40e2e4 15858->15871 15873 40dfe2 15858->15873 15861 40dfe2 8 API calls 15859->15861 15859->15871 15865 40e23c 15861->15865 15862 40e1be 15862->15859 15863 40dbcf 3 API calls 15862->15863 15866 40e1d6 15863->15866 15864 40e21a CloseHandle 15864->15859 15865->15871 15877 40e095 RegCreateKeyExA 15865->15877 15866->15859 15866->15864 15867 40e1f9 WriteFile 15866->15867 15867->15864 15869 40e213 15867->15869 15869->15864 15870 40e2a3 15870->15871 15872 40e095 4 API calls 15870->15872 15871->15768 15872->15871 15874 40dffc 15873->15874 15876 40e024 15873->15876 15875 40db2e 8 API calls 15874->15875 15874->15876 15875->15876 15876->15862 15878 40e172 15877->15878 15880 40e0c0 15877->15880 15878->15870 15879 40e13d 15881 40e14e RegDeleteValueA RegCloseKey 15879->15881 15880->15879 15882 40e115 RegSetValueExA 15880->15882 15881->15878 15882->15879 15882->15880 15884 403122 InterlockedExchange 15883->15884 15885 40312e 15884->15885 15886 40310f GetTickCount 15884->15886 15885->15785 15886->15885 15887 40311a Sleep 15886->15887 15887->15884 15889 40f04e 4 API calls 15888->15889 15896 403a83 15889->15896 15890 403ac1 15890->15789 15890->15792 15891 403be6 15893 40ec2e codecvt 4 API calls 15891->15893 15892 403bc0 15892->15891 15894 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15892->15894 15893->15890 15894->15892 15895 403b66 lstrlenA 15895->15890 15895->15896 15896->15890 15896->15892 15896->15895 15897->15806 15898->15808 15900 402419 4 API calls 15899->15900 15901 4024b6 15900->15901 15901->15825 15903 40dd79 lstrlenA 15902->15903 15903->15254 15905 404084 15904->15905 15906 40407d 15904->15906 15907 403ecd 6 API calls 15905->15907 15908 40408f 15907->15908 15909 404000 3 API calls 15908->15909 15910 404095 15909->15910 15911 404130 15910->15911 15916 403f18 4 API calls 15910->15916 15912 403ecd 6 API calls 15911->15912 15913 404159 CreateNamedPipeA 15912->15913 15914 404167 Sleep 15913->15914 15915 404188 ConnectNamedPipe 15913->15915 15914->15911 15917 404176 CloseHandle 15914->15917 15919 404195 GetLastError 15915->15919 15929 4041ab 15915->15929 15918 4040da 15916->15918 15917->15915 15920 403f8c 4 API calls 15918->15920 15921 40425e DisconnectNamedPipe 15919->15921 15919->15929 15922 4040ec 15920->15922 15921->15915 15923 404127 CloseHandle 15922->15923 15924 404101 15922->15924 15923->15911 15926 403f18 4 API calls 15924->15926 15925 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15925->15929 15927 40411c ExitProcess 15926->15927 15928 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15928->15929 15929->15915 15929->15921 15929->15925 15929->15928 15930 40426a CloseHandle CloseHandle 15929->15930 15931 40e318 23 API calls 15930->15931 15932 40427b 15931->15932 15932->15932 15934 408791 15933->15934 15935 40879f 15933->15935 15936 40f04e 4 API calls 15934->15936 15937 4087bc 15935->15937 15938 40f04e 4 API calls 15935->15938 15936->15935 15939 40e819 11 API calls 15937->15939 15938->15937 15940 4087d7 15939->15940 15952 408803 15940->15952 15954 4026b2 gethostbyaddr 15940->15954 15942 4087eb 15944 40e8a1 30 API calls 15942->15944 15942->15952 15944->15952 15947 40e819 11 API calls 15947->15952 15948 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15948->15952 15949 4088a0 Sleep 15949->15952 15951 4026b2 2 API calls 15951->15952 15952->15947 15952->15948 15952->15949 15952->15951 15953 40e8a1 30 API calls 15952->15953 15959 40c4d6 15952->15959 15962 40c4e2 15952->15962 15965 402011 15952->15965 16000 408328 15952->16000 15953->15952 15955 4026fb 15954->15955 15956 4026cd 15954->15956 15955->15942 15957 4026e1 inet_ntoa 15956->15957 15958 4026de 15956->15958 15957->15958 15958->15942 16052 40c2dc 15959->16052 15963 40c2dc 141 API calls 15962->15963 15964 40c4ec 15963->15964 15964->15952 15966 402020 15965->15966 15967 40202e 15965->15967 15968 40f04e 4 API calls 15966->15968 15969 40204b 15967->15969 15970 40f04e 4 API calls 15967->15970 15968->15967 15971 40206e GetTickCount 15969->15971 15973 40f04e 4 API calls 15969->15973 15970->15969 15972 4020db GetTickCount 15971->15972 15982 402090 15971->15982 15975 402132 GetTickCount GetTickCount 15972->15975 15983 4020e7 15972->15983 15976 402068 15973->15976 15974 4020d4 GetTickCount 15974->15972 15977 40f04e 4 API calls 15975->15977 15976->15971 15980 402159 15977->15980 15978 40212b GetTickCount 15978->15975 15979 402684 2 API calls 15979->15982 15985 40e854 13 API calls 15980->15985 15999 4021b4 15980->15999 15982->15974 15982->15979 15988 4020ce 15982->15988 16387 401978 15982->16387 15983->15978 15991 401978 15 API calls 15983->15991 15992 402125 15983->15992 16392 402ef8 15983->16392 15984 40f04e 4 API calls 15987 4021d1 15984->15987 15989 40218e 15985->15989 15994 40ea84 30 API calls 15987->15994 15998 4021f2 15987->15998 15988->15974 15990 40e819 11 API calls 15989->15990 15993 40219c 15990->15993 15991->15983 15992->15978 15993->15999 16400 401c5f 15993->16400 15995 4021ec 15994->15995 15996 40f04e 4 API calls 15995->15996 15996->15998 15998->15952 15999->15984 16001 407dd6 6 API calls 16000->16001 16002 40833c 16001->16002 16003 406ec3 2 API calls 16002->16003 16030 408340 16002->16030 16004 40834f 16003->16004 16005 40835c 16004->16005 16011 40846b 16004->16011 16006 4073ff 17 API calls 16005->16006 16027 408373 16006->16027 16007 4085df 16008 408626 GetTempPathA 16007->16008 16009 408638 16007->16009 16019 408762 16007->16019 16008->16009 16472 406ba7 IsBadCodePtr 16009->16472 16010 40675c 21 API calls 16010->16007 16012 4084a7 RegOpenKeyExA 16011->16012 16026 408450 16011->16026 16014 4084c0 RegQueryValueExA 16012->16014 16015 40852f 16012->16015 16017 408521 RegCloseKey 16014->16017 16018 4084dd 16014->16018 16020 408564 RegOpenKeyExA 16015->16020 16033 4085a5 16015->16033 16016 4086ad 16016->16019 16021 407e2f 6 API calls 16016->16021 16017->16015 16018->16017 16023 40ebcc 4 API calls 16018->16023 16025 40ec2e codecvt 4 API calls 16019->16025 16019->16030 16022 408573 RegSetValueExA RegCloseKey 16020->16022 16020->16033 16034 4086bb 16021->16034 16022->16033 16029 4084f0 16023->16029 16024 40875b DeleteFileA 16024->16019 16025->16030 16026->16007 16026->16010 16027->16026 16027->16030 16031 4083ea RegOpenKeyExA 16027->16031 16029->16017 16032 4084f8 RegQueryValueExA 16029->16032 16030->15952 16031->16026 16035 4083fd RegQueryValueExA 16031->16035 16032->16017 16036 408515 16032->16036 16033->16026 16037 40ec2e codecvt 4 API calls 16033->16037 16034->16024 16041 4086e0 lstrcpyA lstrlenA 16034->16041 16038 40842d RegSetValueExA 16035->16038 16039 40841e 16035->16039 16040 40ec2e codecvt 4 API calls 16036->16040 16037->16026 16042 408447 RegCloseKey 16038->16042 16039->16038 16039->16042 16043 40851d 16040->16043 16044 407fcf 64 API calls 16041->16044 16042->16026 16043->16017 16045 408719 CreateProcessA 16044->16045 16046 40873d CloseHandle CloseHandle 16045->16046 16047 40874f 16045->16047 16046->16019 16048 407ee6 64 API calls 16047->16048 16049 408754 16048->16049 16050 407ead 6 API calls 16049->16050 16051 40875a 16050->16051 16051->16024 16068 40a4c7 GetTickCount 16052->16068 16055 40c300 GetTickCount 16057 40c337 16055->16057 16056 40c326 16056->16057 16058 40c32b GetTickCount 16056->16058 16062 40c363 GetTickCount 16057->16062 16067 40c45e 16057->16067 16058->16057 16059 40c4d2 16059->15952 16060 40c4ab InterlockedIncrement CreateThread 16060->16059 16061 40c4cb CloseHandle 16060->16061 16073 40b535 16060->16073 16061->16059 16063 40c373 16062->16063 16062->16067 16064 40c378 GetTickCount 16063->16064 16065 40c37f 16063->16065 16064->16065 16066 40c43b GetTickCount 16065->16066 16066->16067 16067->16059 16067->16060 16069 40a4f7 InterlockedExchange 16068->16069 16070 40a500 16069->16070 16071 40a4e4 GetTickCount 16069->16071 16070->16055 16070->16056 16070->16067 16071->16070 16072 40a4ef Sleep 16071->16072 16072->16069 16074 40b566 16073->16074 16075 40ebcc 4 API calls 16074->16075 16076 40b587 16075->16076 16077 40ebcc 4 API calls 16076->16077 16078 40b590 16077->16078 16079 40bdcd InterlockedDecrement 16078->16079 16085 40bdb7 Sleep 16078->16085 16088 40bdcc 16078->16088 16090 40ebed 8 API calls 16078->16090 16093 40b6b6 lstrlenA 16078->16093 16094 4030b5 2 API calls 16078->16094 16095 40b6ed lstrcpyA 16078->16095 16096 40e819 11 API calls 16078->16096 16099 40b731 lstrlenA 16078->16099 16100 40b71f lstrcmpA 16078->16100 16101 40b772 GetTickCount 16078->16101 16102 40bd49 InterlockedIncrement 16078->16102 16105 40bc5b InterlockedIncrement 16078->16105 16106 40b7ce InterlockedIncrement 16078->16106 16109 40b912 GetTickCount 16078->16109 16110 40b826 InterlockedIncrement 16078->16110 16111 40b932 GetTickCount 16078->16111 16112 40bcdc closesocket 16078->16112 16114 4038f0 6 API calls 16078->16114 16116 40bba6 InterlockedIncrement 16078->16116 16119 40bc4c closesocket 16078->16119 16121 405ce1 22 API calls 16078->16121 16122 40ba71 wsprintfA 16078->16122 16123 405ded 12 API calls 16078->16123 16126 40ab81 lstrcpynA InterlockedIncrement 16078->16126 16127 40a7c1 22 API calls 16078->16127 16128 40ef1e lstrlenA 16078->16128 16130 403e10 16078->16130 16133 403e4f 16078->16133 16136 40384f 16078->16136 16156 40a7a3 inet_ntoa 16078->16156 16163 40abee 16078->16163 16175 401feb GetTickCount 16078->16175 16176 40a688 16078->16176 16199 403cfb 16078->16199 16202 40b3c5 16078->16202 16233 40ab81 16078->16233 16080 40bde2 16079->16080 16082 40ec2e codecvt 4 API calls 16080->16082 16083 40bdea 16082->16083 16084 40ec2e codecvt 4 API calls 16083->16084 16086 40bdf2 16084->16086 16085->16078 16087 40be05 16086->16087 16089 40ec2e codecvt 4 API calls 16086->16089 16088->16079 16089->16087 16090->16078 16093->16078 16094->16078 16148 405ce1 16095->16148 16096->16078 16099->16078 16100->16078 16100->16099 16101->16078 16245 40a628 16102->16245 16105->16078 16158 40acd7 16106->16158 16109->16078 16110->16101 16111->16078 16113 40bc6d InterlockedIncrement 16111->16113 16112->16078 16113->16078 16114->16078 16116->16078 16119->16078 16121->16078 16179 40a7c1 16122->16179 16123->16078 16126->16078 16127->16078 16128->16078 16131 4030fa 4 API calls 16130->16131 16132 403e1d 16131->16132 16132->16078 16134 4030fa 4 API calls 16133->16134 16135 403e5c 16134->16135 16135->16078 16137 4030fa 4 API calls 16136->16137 16138 403863 16137->16138 16139 4038b9 16138->16139 16140 403889 16138->16140 16147 4038b2 16138->16147 16254 4035f9 16139->16254 16248 403718 16140->16248 16145 403718 6 API calls 16145->16147 16146 4035f9 6 API calls 16146->16147 16147->16078 16149 405cf4 16148->16149 16150 405cec 16148->16150 16152 404bd1 4 API calls 16149->16152 16260 404bd1 GetTickCount 16150->16260 16153 405d02 16152->16153 16265 405472 16153->16265 16157 40a7b9 16156->16157 16157->16078 16159 40f315 14 API calls 16158->16159 16160 40aceb 16159->16160 16161 40acff 16160->16161 16162 40f315 14 API calls 16160->16162 16161->16078 16162->16161 16164 40abfb 16163->16164 16167 40ac65 16164->16167 16328 402f22 16164->16328 16166 40f315 14 API calls 16166->16167 16167->16166 16168 40ac8a 16167->16168 16169 40ac6f 16167->16169 16168->16078 16171 40ab81 2 API calls 16169->16171 16170 40ac23 16170->16167 16172 402684 2 API calls 16170->16172 16173 40ac81 16171->16173 16172->16170 16336 4038f0 16173->16336 16175->16078 16350 40a63d 16176->16350 16178 40a696 16178->16078 16180 40a87d lstrlenA send 16179->16180 16184 40a7df 16179->16184 16181 40a899 16180->16181 16182 40a8bf 16180->16182 16185 40a8a5 wsprintfA 16181->16185 16198 40a89e 16181->16198 16186 40a8c4 send 16182->16186 16191 40a8f2 16182->16191 16183 40a80a 16183->16180 16184->16180 16184->16183 16189 40a7fa wsprintfA 16184->16189 16184->16191 16185->16198 16188 40a8d8 wsprintfA 16186->16188 16186->16191 16187 40a978 recv 16187->16191 16192 40a982 16187->16192 16188->16198 16189->16183 16190 40a9b0 wsprintfA 16190->16198 16191->16187 16191->16190 16191->16192 16193 4030b5 2 API calls 16192->16193 16192->16198 16194 40ab05 16193->16194 16195 40e819 11 API calls 16194->16195 16196 40ab17 16195->16196 16197 40a7a3 inet_ntoa 16196->16197 16197->16198 16198->16078 16200 4030fa 4 API calls 16199->16200 16201 403d0b 16200->16201 16201->16078 16203 405ce1 22 API calls 16202->16203 16204 40b3e6 16203->16204 16205 405ce1 22 API calls 16204->16205 16207 40b404 16205->16207 16206 40b440 16209 40ef7c 3 API calls 16206->16209 16207->16206 16208 40ef7c 3 API calls 16207->16208 16210 40b42b 16208->16210 16211 40b458 wsprintfA 16209->16211 16212 40ef7c 3 API calls 16210->16212 16213 40ef7c 3 API calls 16211->16213 16212->16206 16214 40b480 16213->16214 16215 40ef7c 3 API calls 16214->16215 16216 40b493 16215->16216 16217 40ef7c 3 API calls 16216->16217 16218 40b4bb 16217->16218 16355 40ad89 GetLocalTime SystemTimeToFileTime 16218->16355 16222 40b4cc 16223 40ef7c 3 API calls 16222->16223 16224 40b4dd 16223->16224 16225 40b211 7 API calls 16224->16225 16226 40b4ec 16225->16226 16227 40ef7c 3 API calls 16226->16227 16228 40b4fd 16227->16228 16229 40b211 7 API calls 16228->16229 16230 40b509 16229->16230 16231 40ef7c 3 API calls 16230->16231 16232 40b51a 16231->16232 16232->16078 16234 40ab8c 16233->16234 16236 40abe9 GetTickCount 16233->16236 16235 40aba8 lstrcpynA 16234->16235 16234->16236 16237 40abe1 InterlockedIncrement 16234->16237 16235->16234 16238 40a51d 16236->16238 16237->16234 16239 40a4c7 4 API calls 16238->16239 16240 40a52c 16239->16240 16241 40a542 GetTickCount 16240->16241 16243 40a539 GetTickCount 16240->16243 16241->16243 16244 40a56c 16243->16244 16244->16078 16246 40a4c7 4 API calls 16245->16246 16247 40a633 16246->16247 16247->16078 16249 40f04e 4 API calls 16248->16249 16251 40372a 16249->16251 16250 403847 16250->16145 16250->16147 16251->16250 16252 4037b3 GetCurrentThreadId 16251->16252 16252->16251 16253 4037c8 GetCurrentThreadId 16252->16253 16253->16251 16255 40f04e 4 API calls 16254->16255 16259 40360c 16255->16259 16256 4036f1 16256->16146 16256->16147 16257 4036da GetCurrentThreadId 16257->16256 16258 4036e5 GetCurrentThreadId 16257->16258 16258->16256 16259->16256 16259->16257 16261 404bff InterlockedExchange 16260->16261 16262 404c08 16261->16262 16263 404bec GetTickCount 16261->16263 16262->16149 16263->16262 16264 404bf7 Sleep 16263->16264 16264->16261 16284 404763 16265->16284 16267 405b58 16294 404699 16267->16294 16270 404763 lstrlenA 16271 405b6e 16270->16271 16315 404f9f 16271->16315 16273 405b79 16273->16078 16275 405549 lstrlenA 16282 40548a 16275->16282 16276 405472 13 API calls 16276->16282 16278 40558d lstrcpynA 16278->16282 16279 405a9f lstrcpyA 16279->16282 16280 405935 lstrcpynA 16280->16282 16281 4058e7 lstrcpyA 16281->16282 16282->16267 16282->16276 16282->16278 16282->16279 16282->16280 16282->16281 16283 404ae6 8 API calls 16282->16283 16288 404ae6 16282->16288 16292 40ef7c lstrlenA lstrlenA lstrlenA 16282->16292 16283->16282 16286 40477a 16284->16286 16285 404859 16285->16282 16286->16285 16287 40480d lstrlenA 16286->16287 16287->16286 16289 404af3 16288->16289 16291 404b03 16288->16291 16290 40ebed 8 API calls 16289->16290 16290->16291 16291->16275 16293 40efb4 16292->16293 16293->16282 16320 4045b3 16294->16320 16297 4045b3 7 API calls 16298 4046c6 16297->16298 16299 4045b3 7 API calls 16298->16299 16300 4046d8 16299->16300 16301 4045b3 7 API calls 16300->16301 16302 4046ea 16301->16302 16303 4045b3 7 API calls 16302->16303 16304 4046ff 16303->16304 16305 4045b3 7 API calls 16304->16305 16306 404711 16305->16306 16307 4045b3 7 API calls 16306->16307 16308 404723 16307->16308 16309 40ef7c 3 API calls 16308->16309 16310 404735 16309->16310 16311 40ef7c 3 API calls 16310->16311 16312 40474a 16311->16312 16313 40ef7c 3 API calls 16312->16313 16314 40475c 16313->16314 16314->16270 16316 404fac 16315->16316 16319 404fb0 16315->16319 16316->16273 16317 404ffd 16317->16273 16318 404fd5 IsBadCodePtr 16318->16319 16319->16317 16319->16318 16321 4045c1 16320->16321 16322 4045c8 16320->16322 16323 40ebcc 4 API calls 16321->16323 16324 40ebcc 4 API calls 16322->16324 16326 4045e1 16322->16326 16323->16322 16324->16326 16325 404691 16325->16297 16326->16325 16327 40ef7c 3 API calls 16326->16327 16327->16326 16343 402d21 GetModuleHandleA 16328->16343 16331 402fcf GetProcessHeap HeapFree 16335 402f44 16331->16335 16332 402f85 16332->16331 16332->16332 16333 402f4f 16334 402f6b GetProcessHeap HeapFree 16333->16334 16334->16335 16335->16170 16335->16335 16337 403900 16336->16337 16339 403980 16336->16339 16338 4030fa 4 API calls 16337->16338 16342 40390a 16338->16342 16339->16168 16340 40391b GetCurrentThreadId 16340->16342 16341 403939 GetCurrentThreadId 16341->16342 16342->16339 16342->16340 16342->16341 16344 402d46 LoadLibraryA 16343->16344 16345 402d5b GetProcAddress 16343->16345 16344->16345 16347 402d54 16344->16347 16345->16347 16349 402d6b 16345->16349 16346 402d97 GetProcessHeap HeapAlloc 16346->16347 16346->16349 16347->16332 16347->16333 16347->16335 16348 402db5 lstrcpynA 16348->16349 16349->16346 16349->16347 16349->16348 16351 40a645 16350->16351 16352 40a64d 16350->16352 16351->16178 16353 40a66e 16352->16353 16354 40a65e GetTickCount 16352->16354 16353->16178 16354->16353 16356 40adbf 16355->16356 16380 40ad08 gethostname 16356->16380 16359 4030b5 2 API calls 16360 40add3 16359->16360 16361 40a7a3 inet_ntoa 16360->16361 16364 40ade4 16360->16364 16361->16364 16362 40ae85 wsprintfA 16363 40ef7c 3 API calls 16362->16363 16365 40aebb 16363->16365 16364->16362 16366 40ae36 wsprintfA wsprintfA 16364->16366 16367 40ef7c 3 API calls 16365->16367 16368 40ef7c 3 API calls 16366->16368 16369 40aed2 16367->16369 16368->16364 16370 40b211 16369->16370 16371 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16370->16371 16372 40b2af GetLocalTime 16370->16372 16373 40b2d2 16371->16373 16372->16373 16374 40b2d9 SystemTimeToFileTime 16373->16374 16375 40b31c GetTimeZoneInformation 16373->16375 16376 40b2ec 16374->16376 16377 40b33a wsprintfA 16375->16377 16378 40b312 FileTimeToSystemTime 16376->16378 16377->16222 16378->16375 16381 40ad71 16380->16381 16385 40ad26 lstrlenA 16380->16385 16383 40ad85 16381->16383 16384 40ad79 lstrcpyA 16381->16384 16383->16359 16384->16383 16385->16381 16386 40ad68 lstrlenA 16385->16386 16386->16381 16388 40f428 14 API calls 16387->16388 16389 40198a 16388->16389 16390 401990 closesocket 16389->16390 16391 401998 16389->16391 16390->16391 16391->15982 16393 402d21 6 API calls 16392->16393 16394 402f01 16393->16394 16395 402f0f 16394->16395 16408 402df2 GetModuleHandleA 16394->16408 16397 402684 2 API calls 16395->16397 16399 402f1f 16395->16399 16398 402f1d 16397->16398 16398->15983 16399->15983 16401 401c80 16400->16401 16402 401cc2 wsprintfA 16401->16402 16404 401d1c 16401->16404 16407 401d79 16401->16407 16403 402684 2 API calls 16402->16403 16403->16401 16405 401d47 wsprintfA 16404->16405 16406 402684 2 API calls 16405->16406 16406->16407 16407->15999 16409 402e10 LoadLibraryA 16408->16409 16410 402e0b 16408->16410 16411 402e17 16409->16411 16410->16409 16410->16411 16412 402ef1 16411->16412 16413 402e28 GetProcAddress 16411->16413 16412->16395 16413->16412 16414 402e3e GetProcessHeap HeapAlloc 16413->16414 16415 402e62 16414->16415 16415->16412 16416 402ede GetProcessHeap HeapFree 16415->16416 16417 402e7f htons inet_addr 16415->16417 16418 402ea5 gethostbyname 16415->16418 16420 402ceb 16415->16420 16416->16412 16417->16415 16417->16418 16418->16415 16421 402cf2 16420->16421 16423 402d1c 16421->16423 16424 402d0e Sleep 16421->16424 16425 402a62 GetProcessHeap HeapAlloc 16421->16425 16423->16415 16424->16421 16424->16423 16426 402a92 16425->16426 16427 402a99 socket 16425->16427 16426->16421 16428 402cd3 GetProcessHeap HeapFree 16427->16428 16429 402ab4 16427->16429 16428->16426 16429->16428 16443 402abd 16429->16443 16430 402adb htons 16445 4026ff 16430->16445 16432 402b04 select 16432->16443 16433 402ca4 16434 402cb3 GetProcessHeap HeapFree closesocket 16433->16434 16434->16426 16435 402b3f recv 16435->16443 16436 402b66 htons 16436->16433 16436->16443 16437 402b87 htons 16437->16433 16437->16443 16440 402bf3 GetProcessHeap HeapAlloc 16440->16443 16441 402c17 htons 16460 402871 16441->16460 16443->16430 16443->16432 16443->16433 16443->16434 16443->16435 16443->16436 16443->16437 16443->16440 16443->16441 16444 402c4d GetProcessHeap HeapFree 16443->16444 16452 402923 16443->16452 16464 402904 16443->16464 16444->16443 16446 40271d 16445->16446 16447 402717 16445->16447 16449 40272b GetTickCount htons 16446->16449 16448 40ebcc 4 API calls 16447->16448 16448->16446 16450 4027cc htons htons sendto 16449->16450 16451 40278a 16449->16451 16450->16443 16451->16450 16453 402944 16452->16453 16454 40293d 16452->16454 16468 402816 htons 16453->16468 16454->16443 16456 402871 htons 16459 402950 16456->16459 16457 4029bd htons htons htons 16457->16454 16458 4029f6 GetProcessHeap HeapAlloc 16457->16458 16458->16454 16458->16459 16459->16454 16459->16456 16459->16457 16461 4028e3 16460->16461 16462 402889 16460->16462 16461->16443 16462->16461 16463 4028c3 htons 16462->16463 16463->16461 16463->16462 16465 402921 16464->16465 16466 402908 16464->16466 16465->16443 16467 402909 GetProcessHeap HeapFree 16466->16467 16467->16465 16467->16467 16469 40286b 16468->16469 16470 402836 16468->16470 16469->16459 16470->16469 16471 40285c htons 16470->16471 16471->16469 16471->16470 16473 406bc0 16472->16473 16474 406bbc 16472->16474 16475 406bd4 16473->16475 16476 40ebcc 4 API calls 16473->16476 16474->16016 16475->16016 16477 406be4 16476->16477 16477->16475 16478 406c07 CreateFileA 16477->16478 16479 406bfc 16477->16479 16481 406c34 WriteFile 16478->16481 16482 406c2a 16478->16482 16480 40ec2e codecvt 4 API calls 16479->16480 16480->16475 16484 406c49 CloseHandle DeleteFileA 16481->16484 16485 406c5a CloseHandle 16481->16485 16483 40ec2e codecvt 4 API calls 16482->16483 16483->16475 16484->16482 16486 40ec2e codecvt 4 API calls 16485->16486 16486->16475 14803 24c0005 14808 24c092b GetPEB 14803->14808 14805 24c0030 14810 24c003c 14805->14810 14809 24c0972 14808->14809 14809->14805 14811 24c0049 14810->14811 14825 24c0e0f SetErrorMode SetErrorMode 14811->14825 14816 24c0265 14817 24c02ce VirtualProtect 14816->14817 14818 24c030b 14817->14818 14819 24c0439 VirtualFree 14818->14819 14823 24c04be 14819->14823 14824 24c05f4 LoadLibraryA 14819->14824 14820 24c04e3 LoadLibraryA 14820->14823 14822 24c08c7 14823->14820 14823->14824 14824->14822 14826 24c0223 14825->14826 14827 24c0d90 14826->14827 14828 24c0dad 14827->14828 14829 24c0dbb GetPEB 14828->14829 14830 24c0238 VirtualAlloc 14828->14830 14829->14830 14830->14816 14831 26f8d26 14832 26f8d35 14831->14832 14835 26f94c6 14832->14835 14836 26f94e1 14835->14836 14837 26f94ea CreateToolhelp32Snapshot 14836->14837 14838 26f9506 Module32First 14836->14838 14837->14836 14837->14838 14839 26f8d3e 14838->14839 14840 26f9515 14838->14840 14842 26f9185 14840->14842 14843 26f91b0 14842->14843 14844 26f91c1 VirtualAlloc 14843->14844 14845 26f91f9 14843->14845 14844->14845
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                      • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                    • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                    • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                    • ExitProcess.KERNEL32 ref: 00409C06
                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                    • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                    • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                    • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                    • wsprintfA.USER32 ref: 0040A0B6
                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                    • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                      • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                      • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                    • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                    • GetLastError.KERNEL32 ref: 0040A3ED
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                    • DeleteFileA.KERNEL32(C:\Users\user\Desktop\dIg0MWRViP.exe), ref: 0040A407
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                    • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                    • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                    • GetTickCount.KERNEL32 ref: 0040A49F
                                                                    • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                    • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                    • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\dIg0MWRViP.exe$C:\Windows\SysWOW64\soirllif\rdliobhf.exe$D$P$\$soirllif
                                                                    • API String ID: 2089075347-2557760764
                                                                    • Opcode ID: 117ca98af2dac046968fa157663bb78c5b3ef41bfb034ede8011e49c8b204cf1
                                                                    • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                    • Opcode Fuzzy Hash: 117ca98af2dac046968fa157663bb78c5b3ef41bfb034ede8011e49c8b204cf1
                                                                    • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 584 40637c-406384 585 406386-406389 584->585 586 40638a-4063b4 GetModuleHandleA VirtualAlloc 584->586 587 4063f5-4063f7 586->587 588 4063b6-4063d4 call 40ee08 VirtualAllocEx 586->588 589 40640b-40640f 587->589 588->587 592 4063d6-4063f3 call 4062b7 WriteProcessMemory 588->592 592->587 595 4063f9-40640a 592->595 595->589
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                    • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                    • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 1965334864-0
                                                                    • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                    • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                    • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                    • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 264 401280-4012dd 265 4012e1-4012e5 264->265 265->265 266 4012e7-4012e9 265->266 267 4012f2-4012fe 266->267 268 4012eb-4012ed 266->268 270 401300-401304 267->270 269 401373-4013a2 268->269 274 4013a8-4013c4 269->274 275 4016f9-40170f GetLastError 269->275 270->270 271 401306-40130f 270->271 273 401310-401314 271->273 273->273 276 401316-401355 273->276 282 401711-40171b 274->282 283 4013ca-40142c 274->283 277 401781-401787 275->277 293 401357-40135c 276->293 294 40136c 276->294 279 401790-401796 277->279 280 401789 277->280 284 401798 279->284 285 40179f-4017a5 279->285 280->279 289 40177b-40177f 282->289 297 401432-401457 283->297 298 40171d-40172d 283->298 284->285 287 4017a7 285->287 288 4017ae-4017b4 285->288 287->288 290 4017b6 288->290 291 4017bd-4017c6 288->291 289->277 290->291 295 4017c8-4017d7 291->295 296 4017de-4017e4 291->296 293->294 299 40135e-401365 293->299 294->269 295->296 300 4017e6 296->300 301 4017ed-401813 call 40ec50 296->301 305 40145d-40148e 297->305 306 40172f-40173f 297->306 298->277 299->294 300->301 313 401741-40174b 305->313 314 401494-4014ad 305->314 306->277 313->289 316 4014b3-4014d5 314->316 317 40174d-40175d 314->317 319 4014db-4014e4 316->319 320 40175f-40176f 316->320 317->277 321 4014ec-4014f0 319->321 320->277 322 401771-401775 321->322 323 4014f6-40150c 321->323 322->289 325 401512 323->325 326 4016dd-4016f4 323->326 327 401516-40151e 325->327 326->277 328 401520 327->328 329 401534-401540 327->329 331 401522-401526 328->331 332 401542-401547 329->332 333 40157a-401585 329->333 331->329 336 401528-401532 331->336 337 401562-40156e 332->337 338 401549-40154b 332->338 334 401587 333->334 335 40158c-4015b0 call 40ee08 333->335 334->335 344 4015b7-4015bc 335->344 336->329 336->331 337->333 340 401570-401577 lstrlenW 337->340 339 401550-401554 338->339 339->337 342 401556-401560 339->342 340->333 342->337 342->339 344->344 345 4015be-4015f4 GetStartupInfoW 344->345 346 4015f8-4015fd 345->346 346->346 347 4015ff-401639 CreateProcessWithLogonW 346->347 348 4016bf-4016d9 GetLastError 347->348 349 40163f-401657 WaitForSingleObject 347->349 350 4016db 348->350 351 401660-401666 349->351 352 401659-40165a CloseHandle 349->352 350->326 353 401668-401669 CloseHandle 351->353 354 40166f-401675 351->354 352->351 353->354 355 401677-40167d 354->355 356 40169b-4016bd 354->356 357 401684-401687 355->357 358 40167f-401682 355->358 356->350 357->355 358->357 359 401689-401693 358->359 360 401514 359->360 361 401699 359->361 360->327 361->350
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                    • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShelllstrlen
                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                    • API String ID: 1628651668-179334549
                                                                    • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                    • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                    • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                    • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 362 4073ff-407419 363 40741b 362->363 364 40741d-407422 362->364 363->364 365 407424 364->365 366 407426-40742b 364->366 365->366 367 407430-407435 366->367 368 40742d 366->368 369 407437 367->369 370 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 367->370 368->367 369->370 375 407487-40749d call 40ee2a 370->375 376 4077f9-4077fe call 40ee2a 370->376 381 407703-40770e RegEnumKeyA 375->381 382 407801 376->382 383 4074a2-4074b1 call 406cad 381->383 384 407714-40771d RegCloseKey 381->384 385 407804-407808 382->385 388 4074b7-4074cc call 40f1a5 383->388 389 4076ed-407700 383->389 384->382 388->389 392 4074d2-4074f8 RegOpenKeyExA 388->392 389->381 393 407727-40772a 392->393 394 4074fe-407530 call 402544 RegQueryValueExA 392->394 395 407755-407764 call 40ee2a 393->395 396 40772c-407740 call 40ef00 393->396 394->393 403 407536-40753c 394->403 404 4076df-4076e2 395->404 405 407742-407745 RegCloseKey 396->405 406 40774b-40774e 396->406 407 40753f-407544 403->407 404->389 409 4076e4-4076e7 RegCloseKey 404->409 405->406 408 4077ec-4077f7 RegCloseKey 406->408 407->407 410 407546-40754b 407->410 408->385 409->389 410->395 411 407551-40756b call 40ee95 410->411 411->395 414 407571-407593 call 402544 call 40ee95 411->414 419 407753 414->419 420 407599-4075a0 414->420 419->395 421 4075a2-4075c6 call 40ef00 call 40ed03 420->421 422 4075c8-4075d7 call 40ed03 420->422 427 4075d8-4075da 421->427 422->427 429 4075dc 427->429 430 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 427->430 429->430 440 407626-40762b 430->440 440->440 441 40762d-407634 440->441 442 407637-40763c 441->442 442->442 443 40763e-407642 442->443 444 407644-407656 call 40ed77 443->444 445 40765c-407673 call 40ed23 443->445 444->445 450 407769-40777c call 40ef00 444->450 451 407680 445->451 452 407675-40767e 445->452 457 4077e3-4077e6 RegCloseKey 450->457 454 407683-40768e call 406cad 451->454 452->454 459 407722-407725 454->459 460 407694-4076bf call 40f1a5 call 406c96 454->460 457->408 461 4076dd 459->461 466 4076c1-4076c7 460->466 467 4076d8 460->467 461->404 466->467 468 4076c9-4076d2 466->468 467->461 468->467 469 40777e-407797 GetFileAttributesExA 468->469 470 407799 469->470 471 40779a-40779f 469->471 470->471 472 4077a1 471->472 473 4077a3-4077a8 471->473 472->473 474 4077c4-4077c8 473->474 475 4077aa-4077c0 call 40ee08 473->475 476 4077d7-4077dc 474->476 477 4077ca-4077d6 call 40ef00 474->477 475->474 480 4077e0-4077e2 476->480 481 4077de 476->481 477->476 480->457 481->480
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                    • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                    • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                    • String ID: "
                                                                    • API String ID: 3433985886-123907689
                                                                    • Opcode ID: d1745f93e4738621f3a81734226608b64e23a07a53a3347429d52bf37170d4a4
                                                                    • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                    • Opcode Fuzzy Hash: d1745f93e4738621f3a81734226608b64e23a07a53a3347429d52bf37170d4a4
                                                                    • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 484 24c003c-24c0047 485 24c004c-24c0263 call 24c0a3f call 24c0e0f call 24c0d90 VirtualAlloc 484->485 486 24c0049 484->486 501 24c028b-24c0292 485->501 502 24c0265-24c0289 call 24c0a69 485->502 486->485 504 24c02a1-24c02b0 501->504 505 24c02ce-24c03c2 VirtualProtect call 24c0cce call 24c0ce7 502->505 504->505 506 24c02b2-24c02cc 504->506 513 24c03d1-24c03e0 505->513 506->504 514 24c0439-24c04b8 VirtualFree 513->514 515 24c03e2-24c0437 call 24c0ce7 513->515 517 24c04be-24c04cd 514->517 518 24c05f4-24c05fe 514->518 515->513 522 24c04d3-24c04dd 517->522 519 24c077f-24c0789 518->519 520 24c0604-24c060d 518->520 525 24c078b-24c07a3 519->525 526 24c07a6-24c07b0 519->526 520->519 523 24c0613-24c0637 520->523 522->518 527 24c04e3-24c0505 LoadLibraryA 522->527 532 24c063e-24c0648 523->532 525->526 528 24c086e-24c08be LoadLibraryA 526->528 529 24c07b6-24c07cb 526->529 530 24c0517-24c0520 527->530 531 24c0507-24c0515 527->531 540 24c08c7-24c08f9 528->540 533 24c07d2-24c07d5 529->533 534 24c0526-24c0547 530->534 531->534 532->519 535 24c064e-24c065a 532->535 536 24c0824-24c0833 533->536 537 24c07d7-24c07e0 533->537 538 24c054d-24c0550 534->538 535->519 539 24c0660-24c066a 535->539 546 24c0839-24c083c 536->546 541 24c07e4-24c0822 537->541 542 24c07e2 537->542 543 24c0556-24c056b 538->543 544 24c05e0-24c05ef 538->544 545 24c067a-24c0689 539->545 547 24c08fb-24c0901 540->547 548 24c0902-24c091d 540->548 541->533 542->536 549 24c056d 543->549 550 24c056f-24c057a 543->550 544->522 551 24c068f-24c06b2 545->551 552 24c0750-24c077a 545->552 546->528 553 24c083e-24c0847 546->553 547->548 549->544 555 24c057c-24c0599 550->555 556 24c059b-24c05bb 550->556 557 24c06ef-24c06fc 551->557 558 24c06b4-24c06ed 551->558 552->532 559 24c0849 553->559 560 24c084b-24c086c 553->560 567 24c05bd-24c05db 555->567 556->567 561 24c06fe-24c0748 557->561 562 24c074b 557->562 558->557 559->528 560->546 561->562 562->545 567->538
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024C024D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID: cess$kernel32.dll
                                                                    • API String ID: 4275171209-1230238691
                                                                    • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                    • Instruction ID: fc6d8bf3b30f58ecec1e8ce670d687e404b49ad6cec5627aabf533009412aab4
                                                                    • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                    • Instruction Fuzzy Hash: 0D526C74A01229DFDBA4CF58C984BADBBB1BF09304F1480DAE54DAB351DB30AA95CF14

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 568 40977c-4097b9 call 40ee2a CreateProcessA 571 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 568->571 572 4097bb-4097bd 568->572 576 409801-40981c call 40637c 571->576 577 4097f5 571->577 573 409864-409866 572->573 578 4097f6-4097ff TerminateProcess 576->578 581 40981e-409839 WriteProcessMemory 576->581 577->578 578->572 581->577 582 40983b-409856 Wow64SetThreadContext 581->582 582->577 583 409858-409863 ResumeThread 582->583 583->573
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                    • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                    • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                    • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                    • String ID: D
                                                                    • API String ID: 2098669666-2746444292
                                                                    • Opcode ID: db8e7b4b42e65af80add877bb874c42dec97f5f82b139a1a33863129b24a212d
                                                                    • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                    • Opcode Fuzzy Hash: db8e7b4b42e65af80add877bb874c42dec97f5f82b139a1a33863129b24a212d
                                                                    • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 596 404000-404008 597 40400b-40402a CreateFileA 596->597 598 404057 597->598 599 40402c-404035 GetLastError 597->599 600 404059-40405c 598->600 601 404052 599->601 602 404037-40403a 599->602 604 404054-404056 600->604 601->604 602->601 603 40403c-40403f 602->603 603->600 605 404041-404050 Sleep 603->605 605->597 605->601
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                    • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                    • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLastSleep
                                                                    • String ID:
                                                                    • API String ID: 408151869-0
                                                                    • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                    • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                    • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                    • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                    • GetTickCount.KERNEL32 ref: 0040EC78
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                    • String ID:
                                                                    • API String ID: 1209300637-0
                                                                    • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                    • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                    • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                    • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 607 406e36-406e5d GetUserNameW 608 406ebe-406ec2 607->608 609 406e5f-406e95 LookupAccountNameW 607->609 609->608 610 406e97-406e9b 609->610 611 406ebb-406ebd 610->611 612 406e9d-406ea3 610->612 611->608 612->611 613 406ea5-406eaa 612->613 614 406eb7-406eb9 613->614 615 406eac-406eb0 613->615 614->608 615->611 616 406eb2-406eb5 615->616 616->611 616->614
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountLookupUser
                                                                    • String ID:
                                                                    • API String ID: 2370142434-0
                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                    • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                    • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 617 26f94c6-26f94df 618 26f94e1-26f94e3 617->618 619 26f94ea-26f94f6 CreateToolhelp32Snapshot 618->619 620 26f94e5 618->620 621 26f94f8-26f94fe 619->621 622 26f9506-26f9513 Module32First 619->622 620->619 621->622 629 26f9500-26f9504 621->629 623 26f951c-26f9524 622->623 624 26f9515-26f9516 call 26f9185 622->624 627 26f951b 624->627 627->623 629->618 629->622
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 026F94EE
                                                                    • Module32First.KERNEL32(00000000,00000224), ref: 026F950E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1728761636.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 026F8000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_26f8000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 3833638111-0
                                                                    • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                    • Instruction ID: e46097eaea17a340783bf3680106f53e8f8d1ff6836240b338b794557d10e0b4
                                                                    • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                    • Instruction Fuzzy Hash: 9BF096316017117FDB707BF5988CB6E76E8FF89729F100628E746911C0DB70E8458A61

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 630 24c0e0f-24c0e24 SetErrorMode * 2 631 24c0e2b-24c0e2c 630->631 632 24c0e26 630->632 632->631
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00000400,?,?,024C0223,?,?), ref: 024C0E19
                                                                    • SetErrorMode.KERNELBASE(00000000,?,?,024C0223,?,?), ref: 024C0E1E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                    • Instruction ID: 19e3bb3d86d1ccb7e2d50aa8a73f4fa727658f1bcbf078656ba80fd3e822a18e
                                                                    • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                    • Instruction Fuzzy Hash: 82D01235145128B7D7403A94DC09BDE7B1CDF05B66F108011FB0DD9180C770954046E5

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 633 406dc2-406dd5 634 406e33-406e35 633->634 635 406dd7-406df1 call 406cc9 call 40ef00 633->635 640 406df4-406df9 635->640 640->640 641 406dfb-406e00 640->641 642 406e02-406e22 GetVolumeInformationA 641->642 643 406e24 641->643 642->643 644 406e2e 642->644 643->644 644->634
                                                                    APIs
                                                                      • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                    • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                    • String ID:
                                                                    • API String ID: 1823874839-0
                                                                    • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                    • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                    • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                    • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 645 409892-4098c0 646 4098c2-4098c5 645->646 647 4098d9 645->647 646->647 648 4098c7-4098d7 646->648 649 4098e0-4098f1 SetServiceStatus 647->649 648->649
                                                                    APIs
                                                                    • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ServiceStatus
                                                                    • String ID:
                                                                    • API String ID: 3969395364-0
                                                                    • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                    • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                    • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                    • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 650 26f9185-26f91bf call 26f9498 653 26f920d 650->653 654 26f91c1-26f91f4 VirtualAlloc call 26f9212 650->654 653->653 656 26f91f9-26f920b 654->656 656->653
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 026F91D6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1728761636.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 026F8000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_26f8000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                    • Instruction ID: c260efb2edc5711c597ba91e96d0c548169184bc8d6bf2053b117bf8376c107d
                                                                    • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                    • Instruction Fuzzy Hash: 7E113C79A00208EFDB01DF98C985E98BBF5AF08350F158094FA489B361D771EA90DF94

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 657 4098f2-4098f4 658 4098f6-409902 call 404280 657->658 661 409904-409913 Sleep 658->661 662 409917 658->662 661->658 663 409915 661->663 664 409919-409942 call 402544 call 40977c 662->664 665 40995e-409960 662->665 663->662 669 409947-409957 call 40ee2a 664->669 669->665
                                                                    APIs
                                                                      • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                    • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventSleep
                                                                    • String ID:
                                                                    • API String ID: 3100162736-0
                                                                    • Opcode ID: 395b739cd88b4435df89baafb553413b39c59aeb185fe489df637a3592f54fe2
                                                                    • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                    • Opcode Fuzzy Hash: 395b739cd88b4435df89baafb553413b39c59aeb185fe489df637a3592f54fe2
                                                                    • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 024C65F6
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024C6610
                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 024C6631
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 024C6652
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 1965334864-0
                                                                    • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                    • Instruction ID: 82c0fc38d93388e4804103bf336a3c17f6e41e9c0ad214ac57441598846cd90b
                                                                    • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                    • Instruction Fuzzy Hash: 6111A775700218BFDB515F69DC05F9B3FACEB44BA9F21802AFA04E7250D7B1DD008AA4
                                                                    APIs
                                                                    • ExitProcess.KERNEL32 ref: 024C9E6D
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 024C9FE1
                                                                    • lstrcat.KERNEL32(?,?), ref: 024C9FF2
                                                                    • lstrcat.KERNEL32(?,0041070C), ref: 024CA004
                                                                    • GetFileAttributesExA.KERNEL32(?,?,?), ref: 024CA054
                                                                    • DeleteFileA.KERNEL32(?), ref: 024CA09F
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 024CA0D6
                                                                    • lstrcpy.KERNEL32 ref: 024CA12F
                                                                    • lstrlen.KERNEL32(00000022), ref: 024CA13C
                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 024C9F13
                                                                      • Part of subcall function 024C7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 024C7081
                                                                      • Part of subcall function 024C6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eaudxxur,024C7043), ref: 024C6F4E
                                                                      • Part of subcall function 024C6F30: GetProcAddress.KERNEL32(00000000), ref: 024C6F55
                                                                      • Part of subcall function 024C6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024C6F7B
                                                                      • Part of subcall function 024C6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024C6F92
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 024CA1A2
                                                                    • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024CA1C5
                                                                    • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 024CA214
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 024CA21B
                                                                    • GetDriveTypeA.KERNEL32(?), ref: 024CA265
                                                                    • lstrcat.KERNEL32(?,00000000), ref: 024CA29F
                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 024CA2C5
                                                                    • lstrcat.KERNEL32(?,00000022), ref: 024CA2D9
                                                                    • lstrcat.KERNEL32(?,00410A34), ref: 024CA2F4
                                                                    • wsprintfA.USER32 ref: 024CA31D
                                                                    • lstrcat.KERNEL32(?,00000000), ref: 024CA345
                                                                    • lstrcat.KERNEL32(?,?), ref: 024CA364
                                                                    • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 024CA387
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 024CA398
                                                                    • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 024CA1D1
                                                                      • Part of subcall function 024C9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 024C999D
                                                                      • Part of subcall function 024C9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 024C99BD
                                                                      • Part of subcall function 024C9966: RegCloseKey.ADVAPI32(?), ref: 024C99C6
                                                                    • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 024CA3DB
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 024CA3E2
                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 024CA41D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                    • String ID: "$"$"$D$P$\
                                                                    • API String ID: 1653845638-2605685093
                                                                    • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                    • Instruction ID: fcc6794d4aef2d3c0457f59668b98112263e05b9af3041a2cbd81301b78bb6d8
                                                                    • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                    • Instruction Fuzzy Hash: 81F150B5C4021DAFDB51DFA58C48EEF7BBDAB08304F2440AFE605E2151E7B58A848F64
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                    • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                    • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                    • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                    • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                    • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                    • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                    • API String ID: 2238633743-3228201535
                                                                    • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                    • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                    • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                    • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                    • wsprintfA.USER32 ref: 0040B3B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                    • API String ID: 766114626-2976066047
                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 024C7D21
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 024C7D46
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024C7D7D
                                                                    • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 024C7DA2
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024C7DC0
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024C7DD1
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 024C7DE5
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024C7DF3
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024C7E03
                                                                    • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 024C7E12
                                                                    • LocalFree.KERNEL32(00000000), ref: 024C7E19
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024C7E35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe$D
                                                                    • API String ID: 2976863881-130915176
                                                                    • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                    • Instruction ID: e565131ad281b0fce6e026ed7c552edbaa419cefb11e0d150b91c1b523d79881
                                                                    • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                    • Instruction Fuzzy Hash: 5AA16EB6900209AFDB118FA5DC88FEFBBBDFB08344F14816AE505E6250D7758A85CF64
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                    • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                    • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe$D
                                                                    • API String ID: 2976863881-130915176
                                                                    • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                    • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                    • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                    • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                    • API String ID: 2400214276-165278494
                                                                    • Opcode ID: b207dd172069646c24aed32b1972735792d3f59ccf14c8b8a18c1bcf80ec5da1
                                                                    • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                    • Opcode Fuzzy Hash: b207dd172069646c24aed32b1972735792d3f59ccf14c8b8a18c1bcf80ec5da1
                                                                    • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 0040A7FB
                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                    • wsprintfA.USER32 ref: 0040A8AF
                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                    • wsprintfA.USER32 ref: 0040A8E2
                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                    • wsprintfA.USER32 ref: 0040A9B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                    • API String ID: 3650048968-2394369944
                                                                    • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                    • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                    • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                    • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 024C7A96
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024C7ACD
                                                                    • GetLengthSid.ADVAPI32(?), ref: 024C7ADF
                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 024C7B01
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 024C7B1F
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024C7B39
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 024C7B4A
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024C7B58
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 024C7B68
                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 024C7B77
                                                                    • LocalFree.KERNEL32(00000000), ref: 024C7B7E
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 024C7B9A
                                                                    • GetAce.ADVAPI32(?,?,?), ref: 024C7BCA
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024C7BF1
                                                                    • DeleteAce.ADVAPI32(?,?), ref: 024C7C0A
                                                                    • EqualSid.ADVAPI32(?,?), ref: 024C7C2C
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 024C7CB1
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 024C7CBF
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 024C7CD0
                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 024C7CE0
                                                                    • LocalFree.KERNEL32(00000000), ref: 024C7CEE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                    • String ID: D
                                                                    • API String ID: 3722657555-2746444292
                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction ID: c0a909c33075c437e8cc4432400f6d1f5a6dad3ea33dec7499dc9aeb480b3fc7
                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction Fuzzy Hash: 72815C7590021AAFEB51CFA8DD84FEFBBBCAF08344F14806AE515E6250E7758681CF64
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                    • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                    • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                    • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                    • String ID: D
                                                                    • API String ID: 3722657555-2746444292
                                                                    • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                    • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                    • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                    • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                    • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                    • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseOpenQuery
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe$localcfg
                                                                    • API String ID: 237177642-2022263889
                                                                    • Opcode ID: b3a58a0bbacdadd0d2a53070e4979eb24f60116d8e755c02499f6ba1b4e33bb5
                                                                    • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                    • Opcode Fuzzy Hash: b3a58a0bbacdadd0d2a53070e4979eb24f60116d8e755c02499f6ba1b4e33bb5
                                                                    • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                    • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                    • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                    • GetTickCount.KERNEL32 ref: 00401FC9
                                                                      • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                    • API String ID: 4207808166-1381319158
                                                                    • Opcode ID: 110b6dfce453f86d90b76d90b4f40e7d8c24a5c0218ad8ac054d44c6fd0a90ba
                                                                    • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                    • Opcode Fuzzy Hash: 110b6dfce453f86d90b76d90b4f40e7d8c24a5c0218ad8ac054d44c6fd0a90ba
                                                                    • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                    APIs
                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                    • API String ID: 835516345-270533642
                                                                    • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                    • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                    • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                    • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 024C865A
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 024C867B
                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 024C86A8
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 024C86B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseOpenQuery
                                                                    • String ID: "$C:\Windows\SysWOW64\soirllif\rdliobhf.exe
                                                                    • API String ID: 237177642-1745462604
                                                                    • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                    • Instruction ID: c0e3202f34e8f96f3da6d04dbd9c849feb8f8f23832266987f88e3c077fdf734
                                                                    • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                    • Instruction Fuzzy Hash: 63C194B9900108BEEB52ABA9DD84EEF7B7DEB04304F24407FF605E6150E7B04A948F65
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                    • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                    • htons.WS2_32(00000000), ref: 00402ADB
                                                                    • select.WS2_32 ref: 00402B28
                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                    • htons.WS2_32(?), ref: 00402B71
                                                                    • htons.WS2_32(?), ref: 00402B8C
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                    • String ID:
                                                                    • API String ID: 1639031587-0
                                                                    • Opcode ID: ac048a5111c4c0facacafd4696e747130b11041e76af35315694b4682072b2fe
                                                                    • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                    • Opcode Fuzzy Hash: ac048a5111c4c0facacafd4696e747130b11041e76af35315694b4682072b2fe
                                                                    • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(?), ref: 024C1601
                                                                    • lstrlenW.KERNEL32(-00000003), ref: 024C17D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShelllstrlen
                                                                    • String ID: $<$@$D
                                                                    • API String ID: 1628651668-1974347203
                                                                    • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                    • Instruction ID: d2c7e484f653707a5a2a36da48215a797199fffbacb1d161265c895f261d76cd
                                                                    • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                    • Instruction Fuzzy Hash: 97F19EB95083419FD720DF68C888BABB7E5FB88304F10892EF59A97391D774D944CB62
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 024C76D9
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 024C7757
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 024C778F
                                                                    • ___ascii_stricmp.LIBCMT ref: 024C78B4
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024C794E
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 024C796D
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024C797E
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024C79AC
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024C7A56
                                                                      • Part of subcall function 024CF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,024C772A,?), ref: 024CF414
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 024C79F6
                                                                    • RegCloseKey.ADVAPI32(?), ref: 024C7A4D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                    • String ID: "
                                                                    • API String ID: 3433985886-123907689
                                                                    • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                    • Instruction ID: 87216864924191ca78bcb8c5fd105ad370ad8e839b72557d875f693eeb8ac714
                                                                    • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                    • Instruction Fuzzy Hash: 81C18675900109ABEB519BA9DC44FEFBBBDEF49710F2040AFE504E6150EB759A84CF60
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                    • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                    • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                    • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                      • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                    • String ID: $"
                                                                    • API String ID: 4293430545-3817095088
                                                                    • Opcode ID: 5af9527d081b75e26a8274f62d41663e3dd5d5ca7bdbbab9435bf0acb249f6fa
                                                                    • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                    • Opcode Fuzzy Hash: 5af9527d081b75e26a8274f62d41663e3dd5d5ca7bdbbab9435bf0acb249f6fa
                                                                    • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024C2CED
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 024C2D07
                                                                    • htons.WS2_32(00000000), ref: 024C2D42
                                                                    • select.WS2_32 ref: 024C2D8F
                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 024C2DB1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024C2E62
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                    • String ID:
                                                                    • API String ID: 127016686-0
                                                                    • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                    • Instruction ID: 51601fd507e2cb21e389be1b252138d2247278f1e2ba16c986ec0b9394c4cab3
                                                                    • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                    • Instruction Fuzzy Hash: 5F61E0B9504309ABC360DF69CC08B6BBBE8FB48745F20481EFD85A6250D7F4D8808BA5
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                      • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                      • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                    • wsprintfA.USER32 ref: 0040AEA5
                                                                      • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                    • wsprintfA.USER32 ref: 0040AE4F
                                                                    • wsprintfA.USER32 ref: 0040AE5E
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                    • API String ID: 3631595830-1816598006
                                                                    • Opcode ID: 7bbacfd63cc1bd3358eb6f9f25528e70d4a402c133def0f16d35053a1172090f
                                                                    • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                    • Opcode Fuzzy Hash: 7bbacfd63cc1bd3358eb6f9f25528e70d4a402c133def0f16d35053a1172090f
                                                                    • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                    • htons.WS2_32(00000035), ref: 00402E88
                                                                    • inet_addr.WS2_32(?), ref: 00402E93
                                                                    • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                    • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                    • API String ID: 929413710-2099955842
                                                                    • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                    • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                    • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                    • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                    APIs
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                    • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                    • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                    • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                    • String ID:
                                                                    • API String ID: 2622201749-0
                                                                    • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                    • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                    • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                    • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                    • wsprintfA.USER32 ref: 004093CE
                                                                    • wsprintfA.USER32 ref: 0040940C
                                                                    • wsprintfA.USER32 ref: 0040948D
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                    • String ID: runas
                                                                    • API String ID: 3696105349-4000483414
                                                                    • Opcode ID: 02aec6f577dd688fddbb5344b15a6666d7f538056132fce720943a2534271e66
                                                                    • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                    • Opcode Fuzzy Hash: 02aec6f577dd688fddbb5344b15a6666d7f538056132fce720943a2534271e66
                                                                    • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 0040B467
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                      • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$wsprintf
                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                    • API String ID: 1220175532-2340906255
                                                                    • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                    • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                    • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                    • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402078
                                                                    • GetTickCount.KERNEL32 ref: 004020D4
                                                                    • GetTickCount.KERNEL32 ref: 004020DB
                                                                    • GetTickCount.KERNEL32 ref: 0040212B
                                                                    • GetTickCount.KERNEL32 ref: 00402132
                                                                    • GetTickCount.KERNEL32 ref: 00402142
                                                                      • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                      • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                      • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                      • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                      • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                    • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                    • API String ID: 3976553417-1522128867
                                                                    • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                    • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                    • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                    • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                    APIs
                                                                    • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                    • closesocket.WS2_32(00000000), ref: 0040F375
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesockethtonssocket
                                                                    • String ID: time_cfg
                                                                    • API String ID: 311057483-2401304539
                                                                    • Opcode ID: f6bf990b8d2e0653f7ce57bc0c35302b71962c3564253f9b7ed5e4bc4b128e8d
                                                                    • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                    • Opcode Fuzzy Hash: f6bf990b8d2e0653f7ce57bc0c35302b71962c3564253f9b7ed5e4bc4b128e8d
                                                                    • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                    • ExitProcess.KERNEL32 ref: 00404121
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventExitProcess
                                                                    • String ID:
                                                                    • API String ID: 2404124870-0
                                                                    • Opcode ID: db7f5c645f4a165619cd73390d37071b2a25bff7da9d907bf9deffaa756c70e2
                                                                    • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                    • Opcode Fuzzy Hash: db7f5c645f4a165619cd73390d37071b2a25bff7da9d907bf9deffaa756c70e2
                                                                    • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                    APIs
                                                                      • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                    • GetTickCount.KERNEL32 ref: 0040C31F
                                                                    • GetTickCount.KERNEL32 ref: 0040C32B
                                                                    • GetTickCount.KERNEL32 ref: 0040C363
                                                                    • GetTickCount.KERNEL32 ref: 0040C378
                                                                    • GetTickCount.KERNEL32 ref: 0040C44D
                                                                    • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                    • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                    • String ID: localcfg
                                                                    • API String ID: 1553760989-1857712256
                                                                    • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                    • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                    • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                    • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 024C3068
                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 024C3078
                                                                    • GetProcAddress.KERNEL32(00000000,00410408), ref: 024C3095
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024C30B6
                                                                    • htons.WS2_32(00000035), ref: 024C30EF
                                                                    • inet_addr.WS2_32(?), ref: 024C30FA
                                                                    • gethostbyname.WS2_32(?), ref: 024C310D
                                                                    • HeapFree.KERNEL32(00000000), ref: 024C314D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                    • String ID: iphlpapi.dll
                                                                    • API String ID: 2869546040-3565520932
                                                                    • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                    • Instruction ID: c9e7219f461c17bc91a7ca47c60f41a9c6e930427c0e366cc9640271a7091e6e
                                                                    • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                    • Instruction Fuzzy Hash: 5531A635A00206AFDB529FBD9C44AAF7B78AF04364F2481AAE514E3390DB74D5418B54
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32(?), ref: 024C95A7
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024C95D5
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 024C95DC
                                                                    • wsprintfA.USER32 ref: 024C9635
                                                                    • wsprintfA.USER32 ref: 024C9673
                                                                    • wsprintfA.USER32 ref: 024C96F4
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 024C9758
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024C978D
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 024C97D8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                    • String ID:
                                                                    • API String ID: 3696105349-0
                                                                    • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                    • Instruction ID: 9b9c6adee644aa5beef5b6ad230c3a6036b6ea385d322a29a422c7f29ed699bd
                                                                    • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                    • Instruction Fuzzy Hash: D6A17FB6900648FBEB61DFA5CC44FEA3BADEB04740F20402BFA1592251E7B5D584CFA4
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                    • API String ID: 3560063639-3847274415
                                                                    • Opcode ID: 0cf6a8701cb8f0680dc0f016b74236af14a98fd9df1df95cbda4f4d63be35472
                                                                    • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                    • Opcode Fuzzy Hash: 0cf6a8701cb8f0680dc0f016b74236af14a98fd9df1df95cbda4f4d63be35472
                                                                    • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                    APIs
                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmpi
                                                                    • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                    • API String ID: 1586166983-1625972887
                                                                    • Opcode ID: c846f043494d1212c12cca3077d5224032b1241b6052029cc8ab7cf3cda5ab79
                                                                    • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                    • Opcode Fuzzy Hash: c846f043494d1212c12cca3077d5224032b1241b6052029cc8ab7cf3cda5ab79
                                                                    • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                    • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                    • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 3188212458-0
                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                    APIs
                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 024C67C3
                                                                    • htonl.WS2_32(?), ref: 024C67DF
                                                                    • htonl.WS2_32(?), ref: 024C67EE
                                                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 024C68F1
                                                                    • ExitProcess.KERNEL32 ref: 024C69BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Processhtonl$CurrentExitHugeRead
                                                                    • String ID: except_info$localcfg
                                                                    • API String ID: 1150517154-3605449297
                                                                    • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                    • Instruction ID: 3fbd85c19b10e84d9b20b97050484039dbb883e9c5ac34b7cb0ccb643d30dd86
                                                                    • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                    • Instruction Fuzzy Hash: E1616E71A40208AFDB609FA4DC45FEA77E9FB48300F24806AFA69D2161EB759990CF14
                                                                    APIs
                                                                    • htons.WS2_32(024CCC84), ref: 024CF5B4
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 024CF5CE
                                                                    • closesocket.WS2_32(00000000), ref: 024CF5DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesockethtonssocket
                                                                    • String ID: time_cfg
                                                                    • API String ID: 311057483-2401304539
                                                                    • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                    • Instruction ID: b297404e5203bb6c7866c785525ba01d071044cef829b04a48b1df60fcb65e04
                                                                    • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                    • Instruction Fuzzy Hash: B5317E75900118ABDB10DFA9DC84DEF7BBDEF48710F21456BF905D3150E7748A868BA4
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                    • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                    • wsprintfA.USER32 ref: 00407036
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                    • String ID: /%d$|
                                                                    • API String ID: 676856371-4124749705
                                                                    • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                    • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                    • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                    • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?), ref: 024C2FA1
                                                                    • LoadLibraryA.KERNEL32(?), ref: 024C2FB1
                                                                    • GetProcAddress.KERNEL32(00000000,004103F0), ref: 024C2FC8
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 024C3000
                                                                    • RtlAllocateHeap.NTDLL(00000000), ref: 024C3007
                                                                    • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 024C3032
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                    • String ID: dnsapi.dll
                                                                    • API String ID: 1242400761-3175542204
                                                                    • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                    • Instruction ID: 971f6ca0edf503d8d597d255655b6f86adf1307d305477bf3859b572258999d0
                                                                    • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                    • Instruction Fuzzy Hash: 98219575D00619BBCB619F59DC44AAFBFB8EF08B10F108466F901E7240D7B49AC18BD4
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                    • API String ID: 1082366364-3395550214
                                                                    • Opcode ID: 95e7c86f2c9233c41f1e2c53a6d570cd49a4b83f91fe69b21a1c821a086f9375
                                                                    • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                    • Opcode Fuzzy Hash: 95e7c86f2c9233c41f1e2c53a6d570cd49a4b83f91fe69b21a1c821a086f9375
                                                                    • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 024C9A18
                                                                    • GetThreadContext.KERNEL32(?,?), ref: 024C9A52
                                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 024C9A60
                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 024C9A98
                                                                    • SetThreadContext.KERNEL32(?,00010002), ref: 024C9AB5
                                                                    • ResumeThread.KERNEL32(?), ref: 024C9AC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                    • String ID: D
                                                                    • API String ID: 2981417381-2746444292
                                                                    • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                    • Instruction ID: 2a3bbc279247ab36c163c3a4e0d898bcfc8dbc4305b3a43ba3b638394212f899
                                                                    • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                    • Instruction Fuzzy Hash: 4C216BB1A01219BBDB519BA5DC08EEF7BBCEF04750F104066FA09E1150E7768A84CBA4
                                                                    APIs
                                                                    • inet_addr.WS2_32(004102D8), ref: 024C1C18
                                                                    • LoadLibraryA.KERNEL32(004102C8), ref: 024C1C26
                                                                    • GetProcessHeap.KERNEL32 ref: 024C1C84
                                                                    • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 024C1C9D
                                                                    • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 024C1CC1
                                                                    • HeapFree.KERNEL32(?,00000000,00000000), ref: 024C1D02
                                                                    • FreeLibrary.KERNEL32(?), ref: 024C1D0B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                    • String ID:
                                                                    • API String ID: 2324436984-0
                                                                    • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                    • Instruction ID: 49c7c799b6bcd6405fbfb43a39ffc21f69cba4d8fe11d6cbe7bdeb279289f4fe
                                                                    • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                    • Instruction Fuzzy Hash: AE315E3AD00209BFCB519FA8DC888FFBAB9EB45315B34447EF509A2211D7B55E80DB94
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 024C6CE4
                                                                    • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 024C6D22
                                                                    • GetLastError.KERNEL32 ref: 024C6DA7
                                                                    • CloseHandle.KERNEL32(?), ref: 024C6DB5
                                                                    • GetLastError.KERNEL32 ref: 024C6DD6
                                                                    • DeleteFileA.KERNEL32(?), ref: 024C6DE7
                                                                    • GetLastError.KERNEL32 ref: 024C6DFD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                    • String ID:
                                                                    • API String ID: 3873183294-0
                                                                    • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction ID: 545bc9d92ca86cb37e1ae88ba857e345ee992d6c0e796fb472f7f0c4b09ae3b5
                                                                    • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                    • Instruction Fuzzy Hash: 9E31D37A900149BFCB41DFA99D44ADF7F7DEF88310F25C06AE251E3250D77085958BA1
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\eaudxxur,024C7043), ref: 024C6F4E
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 024C6F55
                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 024C6F7B
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 024C6F92
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                    • String ID: C:\Windows\SysWOW64\$\\.\pipe\eaudxxur
                                                                    • API String ID: 1082366364-869731139
                                                                    • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                    • Instruction ID: 0b770f98c236f249818f236c4fee10615406587190f140a02fd2e158c6f48805
                                                                    • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                    • Instruction Fuzzy Hash: A62149297413407AF362533A9C88FF72E4D8B42724F2980AFF504D5680DBD984D68B6D
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: $localcfg
                                                                    • API String ID: 1659193697-2018645984
                                                                    • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                    • Instruction ID: df207d441994b8c8d5ffab4d510b2d6cf9b8d9f729d3a6122f1d76b035ff7aa6
                                                                    • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                    • Instruction Fuzzy Hash: B6712C79A0032C6ADFA18E9CEC85FEF376B9B00719F34442FF904A6190DF6659C88B55
                                                                    APIs
                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                    • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                    • String ID: flags_upd$localcfg
                                                                    • API String ID: 204374128-3505511081
                                                                    • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                    • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                    • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                    • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                    APIs
                                                                      • Part of subcall function 024CDF6C: GetCurrentThreadId.KERNEL32 ref: 024CDFBA
                                                                    • lstrcmp.KERNEL32(00410178,00000000), ref: 024CE8FA
                                                                    • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,024C6128), ref: 024CE950
                                                                    • lstrcmp.KERNEL32(?,00000008), ref: 024CE989
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                    • String ID: A$ A$ A
                                                                    • API String ID: 2920362961-1846390581
                                                                    • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                    • Instruction ID: 745f0a5b2ec287754d7d80993abc519c6f7836beb3e3a9feabf03a7fbc0478e1
                                                                    • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                    • Instruction Fuzzy Hash: BA318F39B04705DBDBB98F29C884BA77BE4EB09724F20852FE55687651D370E881CB91
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Code
                                                                    • String ID:
                                                                    • API String ID: 3609698214-0
                                                                    • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                    • Instruction ID: 15e0baeb6dfdbe6c17aa2ab0e2387cc13d9fab2336c369d08a28759bf67de8e8
                                                                    • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                    • Instruction Fuzzy Hash: E9214FBA204119BFDB509B69EC48EDF3FADDB892A5B21842BF502D1090EB70DA419674
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Code
                                                                    • String ID:
                                                                    • API String ID: 3609698214-0
                                                                    • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                    • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                    • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                    • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                    APIs
                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 024C92E2
                                                                    • wsprintfA.USER32 ref: 024C9350
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024C9375
                                                                    • lstrlen.KERNEL32(?,?,00000000), ref: 024C9389
                                                                    • WriteFile.KERNEL32(00000000,?,00000000), ref: 024C9394
                                                                    • CloseHandle.KERNEL32(00000000), ref: 024C939B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2439722600-0
                                                                    • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                    • Instruction ID: 2061c59bc06e3c1b9a2248e9f6ce78faf66c8f357d54c1ca788f40c281093127
                                                                    • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                    • Instruction Fuzzy Hash: D61175B57401147BE7606776DC0DFEF3A6EDBC8B10F10806EBB06A5090EBB44A458B64
                                                                    APIs
                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                    • wsprintfA.USER32 ref: 004090E9
                                                                    • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2439722600-0
                                                                    • Opcode ID: 730725e1a30653b3eba158ee6b5a706d92185f15afc7f0cb0d565943f0052150
                                                                    • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                    • Opcode Fuzzy Hash: 730725e1a30653b3eba158ee6b5a706d92185f15afc7f0cb0d565943f0052150
                                                                    • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                    • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                    • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                    • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 3819781495-0
                                                                    • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                    • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                    • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                    • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 024CC6B4
                                                                    • InterlockedIncrement.KERNEL32(024CC74B), ref: 024CC715
                                                                    • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,024CC747), ref: 024CC728
                                                                    • CloseHandle.KERNEL32(00000000,?,024CC747,00413588,024C8A77), ref: 024CC733
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                    • String ID: localcfg
                                                                    • API String ID: 1026198776-1857712256
                                                                    • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                    • Instruction ID: ebc9490d64dadb325e249800689ef0af3f61f6ab7ac696e29697050461882820
                                                                    • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                    • Instruction Fuzzy Hash: C7515DB5A01B418FD7A49F2DC6C462ABBE9FB48704B60593FE18BC7A90D774E841CB50
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                      • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                      • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                      • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                      • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                      • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                      • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                      • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                      • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe
                                                                    • API String ID: 124786226-812669611
                                                                    • Opcode ID: e4e0719a5a2cd3b34ec34ac27a8a6d66355905f4f1668ca4ed4b8e52890c3985
                                                                    • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                    • Opcode Fuzzy Hash: e4e0719a5a2cd3b34ec34ac27a8a6d66355905f4f1668ca4ed4b8e52890c3985
                                                                    • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 024C71E1
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 024C7228
                                                                    • LocalFree.KERNEL32(?,?,?), ref: 024C7286
                                                                    • wsprintfA.USER32 ref: 024C729D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                    • String ID: |
                                                                    • API String ID: 2539190677-2343686810
                                                                    • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                    • Instruction ID: 8cff9eb0743a200df35e4fdda0656451c4281af0deaab9389f9a4eab00427b67
                                                                    • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                    • Instruction Fuzzy Hash: A0313A76900208BBCB41DFA9DC44BDA7BACEF04314F24C06AF859DB204EB79D6488F94
                                                                    APIs
                                                                    • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                    • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                    • String ID: LocalHost
                                                                    • API String ID: 3695455745-3154191806
                                                                    • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                    • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                    • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                    • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                    • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                    • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: QueryValue$CloseOpen
                                                                    • String ID:
                                                                    • API String ID: 1586453840-0
                                                                    • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                    • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                    • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                    • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 024CB51A
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 024CB529
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 024CB548
                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 024CB590
                                                                    • wsprintfA.USER32 ref: 024CB61E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                    • String ID:
                                                                    • API String ID: 4026320513-0
                                                                    • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction ID: a4ae8be21d5c9e4296d0f5758c9c22664e37d094318e6a06190fda991a9ff3f5
                                                                    • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                    • Instruction Fuzzy Hash: 085110B5D0021CAACF54DFD5D8895EEBBB9FF48308F10816BE505A6150E7B84AC9CF98
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                    • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                    • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreateEvent
                                                                    • String ID:
                                                                    • API String ID: 1371578007-0
                                                                    • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                    • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                    • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                    • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                    APIs
                                                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 024C6303
                                                                    • LoadLibraryA.KERNEL32(?), ref: 024C632A
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 024C63B1
                                                                    • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 024C6405
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HugeRead$AddressLibraryLoadProc
                                                                    • String ID:
                                                                    • API String ID: 3498078134-0
                                                                    • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                    • Instruction ID: 0d21510c1a24db11798edb05d53f6aaee4afafafe174a46740f06eea65cd9bd9
                                                                    • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                    • Instruction Fuzzy Hash: 1D417C79A00215ABDB54CF58C884BAAB7B8FF84358F26C06EE815D73A0D770E981CB54
                                                                    APIs
                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                    • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                    • String ID:
                                                                    • API String ID: 2438460464-0
                                                                    • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                    • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                    • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                    • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1989905191bf49f42eadb9a02807c093ecede48eba88651750ab7d74b4d97855
                                                                    • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                    • Opcode Fuzzy Hash: 1989905191bf49f42eadb9a02807c093ecede48eba88651750ab7d74b4d97855
                                                                    • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                    APIs
                                                                      • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                    • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                    • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                    • String ID: A$ A
                                                                    • API String ID: 3343386518-686259309
                                                                    • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                    • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                    • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                    • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040272E
                                                                    • htons.WS2_32(00000001), ref: 00402752
                                                                    • htons.WS2_32(0000000F), ref: 004027D5
                                                                    • htons.WS2_32(00000001), ref: 004027E3
                                                                    • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                      • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                      • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                    • String ID:
                                                                    • API String ID: 1802437671-0
                                                                    • Opcode ID: 6299e4c0913397de1f3665e69ba77cac23d914eedd5d9e3cba2a57aff5f89fa9
                                                                    • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                    • Opcode Fuzzy Hash: 6299e4c0913397de1f3665e69ba77cac23d914eedd5d9e3cba2a57aff5f89fa9
                                                                    • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                    APIs
                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: setsockopt
                                                                    • String ID:
                                                                    • API String ID: 3981526788-0
                                                                    • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                    • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                    • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                    • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 024C93C6
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 024C93CD
                                                                    • CharToOemA.USER32(?,?), ref: 024C93DB
                                                                    • wsprintfA.USER32 ref: 024C9410
                                                                      • Part of subcall function 024C92CB: GetTempPathA.KERNEL32(00000400,?), ref: 024C92E2
                                                                      • Part of subcall function 024C92CB: wsprintfA.USER32 ref: 024C9350
                                                                      • Part of subcall function 024C92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 024C9375
                                                                      • Part of subcall function 024C92CB: lstrlen.KERNEL32(?,?,00000000), ref: 024C9389
                                                                      • Part of subcall function 024C92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 024C9394
                                                                      • Part of subcall function 024C92CB: CloseHandle.KERNEL32(00000000), ref: 024C939B
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 024C9448
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                    • String ID:
                                                                    • API String ID: 3857584221-0
                                                                    • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                    • Instruction ID: 23e29ef60f02a7512f292373aa27a8d9504dce57ff84618350f48e15ebb6a854
                                                                    • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                    • Instruction Fuzzy Hash: 230192FA9001187BD760A7619D89EDF377CDB95701F0040A6BB49E2080DAF497C48F75
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                    • CharToOemA.USER32(?,?), ref: 00409174
                                                                    • wsprintfA.USER32 ref: 004091A9
                                                                      • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                      • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                      • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                    • String ID:
                                                                    • API String ID: 3857584221-0
                                                                    • Opcode ID: 45fddde66681fcd1d10412195ca3cbb3a67b5acc72870ab1a948a161cfab8417
                                                                    • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                    • Opcode Fuzzy Hash: 45fddde66681fcd1d10412195ca3cbb3a67b5acc72870ab1a948a161cfab8417
                                                                    • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                    • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcmpi
                                                                    • String ID: localcfg
                                                                    • API String ID: 1808961391-1857712256
                                                                    • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                    • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                    • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                    • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                    • API String ID: 2574300362-1087626847
                                                                    • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                    • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                    • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                    • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                    APIs
                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                    • String ID: hi_id$localcfg
                                                                    • API String ID: 2777991786-2393279970
                                                                    • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                    • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                    • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                    • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                    • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID: *p@
                                                                    • API String ID: 3429775523-2474123842
                                                                    • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                    • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                    • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                    • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynameinet_addr
                                                                    • String ID: time_cfg$u6A
                                                                    • API String ID: 1594361348-1940331995
                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction ID: b451f6301b751d5a5da28e69ddd764940e01703bb57ffe1d4fb8c2093862792e
                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction Fuzzy Hash: B3E012346085119FDB90DB2CF848AD677E5EF4A230F15869AF854D72A0C7F4DCC19754
                                                                    APIs
                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 024C69E5
                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 024C6A26
                                                                    • GetFileSize.KERNEL32(000000FF,00000000), ref: 024C6A3A
                                                                    • CloseHandle.KERNEL32(000000FF), ref: 024C6BD8
                                                                      • Part of subcall function 024CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024C1DCF,?), ref: 024CEEA8
                                                                      • Part of subcall function 024CEE95: HeapFree.KERNEL32(00000000), ref: 024CEEAF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                    • String ID:
                                                                    • API String ID: 3384756699-0
                                                                    • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                    • Instruction ID: 26d9f7b974645e67f65365f1bcf986a9ec9df0ada89d5788d2489b933229ddad
                                                                    • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                    • Instruction Fuzzy Hash: E5712B75D0012DEFDF10DFA8CC80AEEBBB9FB44354F21856AE515A6290E7309E92CB50
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf
                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                    • API String ID: 2111968516-120809033
                                                                    • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                    • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                    • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                    • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                    APIs
                                                                    • RegCreateKeyExA.ADVAPI32(80000001,024CE50A,00000000,00000000,00000000,00020106,00000000,024CE50A,00000000,000000E4), ref: 024CE319
                                                                    • RegSetValueExA.ADVAPI32(024CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 024CE38E
                                                                    • RegDeleteValueA.ADVAPI32(024CE50A,?,?,?,?,?,000000C8,004122F8), ref: 024CE3BF
                                                                    • RegCloseKey.ADVAPI32(024CE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,024CE50A), ref: 024CE3C8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseCreateDelete
                                                                    • String ID:
                                                                    • API String ID: 2667537340-0
                                                                    • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                    • Instruction ID: fd89f9398ae9889175827e8a7dbc47c8cdf7058612297866a085b6e83b70eb30
                                                                    • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                    • Instruction Fuzzy Hash: D1214F75A0021DABDF609FA9EC85EDF7F79EF08750F108026F904E6160E3B19A54DB90
                                                                    APIs
                                                                    • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                    • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                    • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                    • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseCreateDelete
                                                                    • String ID:
                                                                    • API String ID: 2667537340-0
                                                                    • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                    • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                    • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                    • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024C41AB
                                                                    • GetLastError.KERNEL32 ref: 024C41B5
                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 024C41C6
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024C41D9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                    • String ID:
                                                                    • API String ID: 3373104450-0
                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction ID: fb7dfef4bf61873047b235b2e560bb950f4be3fd921a9ee912d425b6516a47d7
                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction Fuzzy Hash: BD010C7A51110AAFDF02DF94EE88BEF7B6CEB18255F104066F901E2250DB70DB548BB5
                                                                    APIs
                                                                    • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 024C421F
                                                                    • GetLastError.KERNEL32 ref: 024C4229
                                                                    • WaitForSingleObject.KERNEL32(?,?), ref: 024C423A
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 024C424D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                    • String ID:
                                                                    • API String ID: 888215731-0
                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction ID: b4541694a99c2459048cc5d7ce67b660234d7d65f4f92cc371c3b7f5c55e752f
                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction Fuzzy Hash: E6014872911109AFDF41DF94EE85BEF3BACEB08295F108066F901E6050D770DA508BB6
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                    • GetLastError.KERNEL32 ref: 00403F4E
                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                    • String ID:
                                                                    • API String ID: 3373104450-0
                                                                    • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                    • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                    • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                    APIs
                                                                    • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                    • GetLastError.KERNEL32 ref: 00403FC2
                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                    • String ID:
                                                                    • API String ID: 888215731-0
                                                                    • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                    • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                    • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                    APIs
                                                                    • lstrcmp.KERNEL32(?,80000009), ref: 024CE066
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp
                                                                    • String ID: A$ A$ A
                                                                    • API String ID: 1534048567-1846390581
                                                                    • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                    • Instruction ID: 813d5850a8d50b8b3f8830083f209cae35c12e4f5eabad6b4935b0794e842f28
                                                                    • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                    • Instruction Fuzzy Hash: BFF062353007229BCB70CF2AD884A83B7E9FB05335B64862FE554D3260D374A499CF95
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                    • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                    • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                    • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                    • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                    • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00404E9E
                                                                    • GetTickCount.KERNEL32 ref: 00404EAD
                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                    • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                    • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                    • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00404BDD
                                                                    • GetTickCount.KERNEL32 ref: 00404BEC
                                                                    • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                    • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                    • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                    • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                    • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00403103
                                                                    • GetTickCount.KERNEL32 ref: 0040310F
                                                                    • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                    • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                    • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                    • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 024C83C6
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 024C8477
                                                                      • Part of subcall function 024C69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 024C69E5
                                                                      • Part of subcall function 024C69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 024C6A26
                                                                      • Part of subcall function 024C69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 024C6A3A
                                                                      • Part of subcall function 024CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,024C1DCF,?), ref: 024CEEA8
                                                                      • Part of subcall function 024CEE95: HeapFree.KERNEL32(00000000), ref: 024CEEAF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe
                                                                    • API String ID: 359188348-812669611
                                                                    • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                    • Instruction ID: ba6fd38386365b4226f09cbcb014cf72ee7aeb61a454cb8e4308ff67cbf119f0
                                                                    • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                    • Instruction Fuzzy Hash: E34150B6900109BFEB52EBA99D80EFF776DEB04344F24446FE504D7110FBB45A948B64
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 024CAFFF
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 024CB00D
                                                                      • Part of subcall function 024CAF6F: gethostname.WS2_32(?,00000080), ref: 024CAF83
                                                                      • Part of subcall function 024CAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 024CAFE6
                                                                      • Part of subcall function 024C331C: gethostname.WS2_32(?,00000080), ref: 024C333F
                                                                      • Part of subcall function 024C331C: gethostbyname.WS2_32(?), ref: 024C3349
                                                                      • Part of subcall function 024CAA0A: inet_ntoa.WS2_32(00000000), ref: 024CAA10
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                    • String ID: %OUTLOOK_BND_
                                                                    • API String ID: 1981676241-3684217054
                                                                    • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                    • Instruction ID: e03e2ff82d564fe0a86bbf99675c7463967a1be2b5c49df1e6706bce4e9dd2c5
                                                                    • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                    • Instruction Fuzzy Hash: 52418E7690020CABDB21EFA5DC45EEE3BADFB08304F24442FFA2592151EA75DA448F54
                                                                    APIs
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 024C9536
                                                                    • Sleep.KERNEL32(000001F4), ref: 024C955D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShellSleep
                                                                    • String ID:
                                                                    • API String ID: 4194306370-3916222277
                                                                    • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                    • Instruction ID: f67237d2ae6bddfba3238c34d2b43c4916fb5be22bc9ef89434ba1064c297b3e
                                                                    • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                    • Instruction Fuzzy Hash: 524107BA9083957EEBB68B6CD88C7B77BA49B02314F3441AFD48297292D7744981C711
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                    • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID: ,k@
                                                                    • API String ID: 3934441357-1053005162
                                                                    • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                    • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                    • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                    • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 024CB9D9
                                                                    • InterlockedIncrement.KERNEL32(00413648), ref: 024CBA3A
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 024CBA94
                                                                    • GetTickCount.KERNEL32 ref: 024CBB79
                                                                    • GetTickCount.KERNEL32 ref: 024CBB99
                                                                    • InterlockedIncrement.KERNEL32(?), ref: 024CBE15
                                                                    • closesocket.WS2_32(00000000), ref: 024CBEB4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountIncrementInterlockedTick$closesocket
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 1869671989-2903620461
                                                                    • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                    • Instruction ID: 6fadf56ea2e5f365e42bd9a450ed1bf4e602eebe64f8ba02d189b6207ce3f3f3
                                                                    • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                    • Instruction Fuzzy Hash: 86318BB5400248DFDFA5DFA9DC85AEAB7B9EB48704F20405FFA2492260DB319A85CF10
                                                                    APIs
                                                                    Strings
                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTickwsprintf
                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                    • API String ID: 2424974917-1012700906
                                                                    • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                    • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                    • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                    • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                    APIs
                                                                      • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                      • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 3716169038-2903620461
                                                                    • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                    • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                    • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                    • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 024C70BC
                                                                    • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 024C70F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountLookupUser
                                                                    • String ID: |
                                                                    • API String ID: 2370142434-2343686810
                                                                    • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                    • Instruction ID: 29b86561f2a8b830aa9f6d8db44e16acd656b62b6e3b4964b5c1b22100dbcce1
                                                                    • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                    • Instruction Fuzzy Hash: 2611FE76900118EBDB52CFD8DC84AEFB7BDAB04715F2441AAE601E6354DB709784CFA0
                                                                    APIs
                                                                      • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                    • String ID: localcfg
                                                                    • API String ID: 2777991786-1857712256
                                                                    • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                    • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                    • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                    • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                    APIs
                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                    • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 224340156-2903620461
                                                                    • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                    • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                    • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                    • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                    APIs
                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                    • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                    • String ID: localcfg
                                                                    • API String ID: 2112563974-1857712256
                                                                    • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                    • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                    • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                    • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                    APIs
                                                                    • inet_addr.WS2_32(00000001), ref: 00402693
                                                                    • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynameinet_addr
                                                                    • String ID: time_cfg
                                                                    • API String ID: 1594361348-2401304539
                                                                    • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                    • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                    • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: ntdll.dll
                                                                    • API String ID: 2574300362-2227199552
                                                                    • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                    • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                    • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                    • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                    APIs
                                                                      • Part of subcall function 024C2F88: GetModuleHandleA.KERNEL32(?), ref: 024C2FA1
                                                                      • Part of subcall function 024C2F88: LoadLibraryA.KERNEL32(?), ref: 024C2FB1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 024C31DA
                                                                    • HeapFree.KERNEL32(00000000), ref: 024C31E1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1727896372.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_24c0000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                    • String ID:
                                                                    • API String ID: 1017166417-0
                                                                    • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                    • Instruction ID: 4fdeb9119b8684aa953a8663db27ecb40bef24497a898d2d57f65aebdd51813e
                                                                    • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                    • Instruction Fuzzy Hash: 6C519179900246AFCF41DF58D8849EA7B75FF05304B2481AEEC5697210E7729A19CB90
                                                                    APIs
                                                                      • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                    • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000B.00000002.1726699812.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_11_2_400000_rdliobhf.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                    • String ID:
                                                                    • API String ID: 1017166417-0
                                                                    • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                    • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                    • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                    • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                    Execution Graph

                                                                    Execution Coverage:15%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0.7%
                                                                    Total number of Nodes:1807
                                                                    Total number of Limit Nodes:18
                                                                    execution_graph 8063 2f1be31 lstrcmpiA 8064 2f1be55 lstrcmpiA 8063->8064 8070 2f1be71 8063->8070 8065 2f1be61 lstrcmpiA 8064->8065 8064->8070 8068 2f1bfc8 8065->8068 8065->8070 8066 2f1bf62 lstrcmpiA 8067 2f1bf77 lstrcmpiA 8066->8067 8071 2f1bf70 8066->8071 8069 2f1bf8c lstrcmpiA 8067->8069 8067->8071 8069->8071 8070->8066 8074 2f1ebcc 4 API calls 8070->8074 8071->8068 8072 2f1bfc2 8071->8072 8073 2f1ec2e codecvt 4 API calls 8071->8073 8075 2f1ec2e codecvt 4 API calls 8072->8075 8073->8071 8076 2f1beb6 8074->8076 8075->8068 8076->8066 8076->8068 8077 2f1bf5a 8076->8077 8078 2f1ebcc 4 API calls 8076->8078 8077->8066 8078->8076 7916 2f14c75 7917 2f14c83 7916->7917 7918 2f14c92 7917->7918 7920 2f11940 7917->7920 7921 2f1ec2e codecvt 4 API calls 7920->7921 7922 2f11949 7921->7922 7922->7918 8079 2f15d34 IsBadWritePtr 8080 2f15d47 8079->8080 8081 2f15d4a 8079->8081 8084 2f15389 8081->8084 8085 2f14bd1 4 API calls 8084->8085 8086 2f153a5 8085->8086 8087 2f14ae6 8 API calls 8086->8087 8090 2f153ad 8087->8090 8088 2f15407 8089 2f14ae6 8 API calls 8089->8090 8090->8088 8090->8089 7931 2f14861 IsBadWritePtr 7932 2f14876 7931->7932 7933 2f19961 RegisterServiceCtrlHandlerA 7934 2f1997d 7933->7934 7941 2f199cb 7933->7941 7943 2f19892 7934->7943 7936 2f1999a 7937 2f199ba 7936->7937 7938 2f19892 SetServiceStatus 7936->7938 7939 2f19892 SetServiceStatus 7937->7939 7937->7941 7940 2f199aa 7938->7940 7939->7941 7940->7937 7942 2f198f2 41 API calls 7940->7942 7942->7937 7944 2f198c2 SetServiceStatus 7943->7944 7944->7936 8091 2f15e21 8092 2f15e36 8091->8092 8093 2f15e29 8091->8093 8095 2f150dc 8093->8095 8096 2f14bd1 4 API calls 8095->8096 8097 2f150f2 8096->8097 8098 2f14ae6 8 API calls 8097->8098 8104 2f150ff 8098->8104 8099 2f15130 8101 2f14ae6 8 API calls 8099->8101 8100 2f14ae6 8 API calls 8102 2f15110 lstrcmpA 8100->8102 8103 2f15138 8101->8103 8102->8099 8102->8104 8106 2f1513e 8103->8106 8107 2f1516e 8103->8107 8108 2f14ae6 8 API calls 8103->8108 8104->8099 8104->8100 8105 2f14ae6 8 API calls 8104->8105 8105->8104 8106->8092 8107->8106 8109 2f14ae6 8 API calls 8107->8109 8110 2f1515e 8108->8110 8111 2f151b6 8109->8111 8110->8107 8113 2f14ae6 8 API calls 8110->8113 8138 2f14a3d 8111->8138 8113->8107 8115 2f14ae6 8 API calls 8116 2f151c7 8115->8116 8117 2f14ae6 8 API calls 8116->8117 8118 2f151d7 8117->8118 8119 2f14ae6 8 API calls 8118->8119 8120 2f151e7 8119->8120 8120->8106 8121 2f14ae6 8 API calls 8120->8121 8122 2f15219 8121->8122 8123 2f14ae6 8 API calls 8122->8123 8124 2f15227 8123->8124 8125 2f14ae6 8 API calls 8124->8125 8126 2f1524f lstrcpyA 8125->8126 8127 2f14ae6 8 API calls 8126->8127 8129 2f15263 8127->8129 8128 2f14ae6 8 API calls 8130 2f15315 8128->8130 8129->8128 8131 2f14ae6 8 API calls 8130->8131 8132 2f15323 8131->8132 8133 2f14ae6 8 API calls 8132->8133 8135 2f15331 8133->8135 8134 2f14ae6 8 API calls 8134->8135 8135->8106 8135->8134 8136 2f14ae6 8 API calls 8135->8136 8137 2f15351 lstrcmpA 8136->8137 8137->8106 8137->8135 8139 2f14a53 8138->8139 8140 2f14a4a 8138->8140 8142 2f14a78 8139->8142 8143 2f1ebed 8 API calls 8139->8143 8141 2f1ebed 8 API calls 8140->8141 8141->8139 8144 2f14aa3 8142->8144 8145 2f14a8e 8142->8145 8143->8142 8146 2f14a9b 8144->8146 8148 2f1ebed 8 API calls 8144->8148 8145->8146 8147 2f1ec2e codecvt 4 API calls 8145->8147 8146->8115 8147->8146 8148->8146 7946 2f14960 7947 2f1496d 7946->7947 7949 2f1497d 7946->7949 7948 2f1ebed 8 API calls 7947->7948 7948->7949 8149 2f135a5 8150 2f130fa 4 API calls 8149->8150 8151 2f135b3 8150->8151 8155 2f135ea 8151->8155 8156 2f1355d 8151->8156 8153 2f135da 8154 2f1355d 4 API calls 8153->8154 8153->8155 8154->8155 8157 2f1f04e 4 API calls 8156->8157 8158 2f1356a 8157->8158 8158->8153 8159 2f15029 8164 2f14a02 8159->8164 8165 2f14a12 8164->8165 8166 2f14a18 8164->8166 8167 2f1ec2e codecvt 4 API calls 8165->8167 8168 2f1ec2e codecvt 4 API calls 8166->8168 8170 2f14a26 8166->8170 8167->8166 8168->8170 8169 2f1ec2e codecvt 4 API calls 8171 2f14a34 8169->8171 8170->8169 8170->8171 6144 2f19a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6260 2f1ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6144->6260 6146 2f19a95 6147 2f19aa3 GetModuleHandleA GetModuleFileNameA 6146->6147 6152 2f1a3cc 6146->6152 6159 2f19ac4 6147->6159 6148 2f1a41c CreateThread WSAStartup 6261 2f1e52e 6148->6261 7335 2f1405e CreateEventA 6148->7335 6149 2f1a406 DeleteFileA 6149->6152 6153 2f1a40d 6149->6153 6151 2f19afd GetCommandLineA 6160 2f19b22 6151->6160 6152->6148 6152->6149 6152->6153 6155 2f1a3ed GetLastError 6152->6155 6153->6148 6154 2f1a445 6280 2f1eaaf 6154->6280 6155->6153 6157 2f1a3f8 Sleep 6155->6157 6157->6149 6158 2f1a44d 6284 2f11d96 6158->6284 6159->6151 6165 2f19c0c 6160->6165 6171 2f19b47 6160->6171 6162 2f1a457 6332 2f180c9 6162->6332 6524 2f196aa 6165->6524 6175 2f19b96 lstrlenA 6171->6175 6177 2f19b58 6171->6177 6172 2f1a1d2 6178 2f1a1e3 GetCommandLineA 6172->6178 6173 2f19c39 6176 2f1a167 GetModuleHandleA GetModuleFileNameA 6173->6176 6530 2f14280 CreateEventA 6173->6530 6175->6177 6180 2f19c05 ExitProcess 6176->6180 6181 2f1a189 6176->6181 6177->6180 6483 2f1675c 6177->6483 6204 2f1a205 6178->6204 6181->6180 6188 2f1a1b2 GetDriveTypeA 6181->6188 6188->6180 6190 2f1a1c5 6188->6190 6631 2f19145 GetModuleHandleA GetModuleFileNameA CharToOemA 6190->6631 6191 2f1675c 21 API calls 6192 2f19c79 6191->6192 6192->6176 6198 2f19ca0 GetTempPathA 6192->6198 6199 2f19e3e 6192->6199 6195 2f19bff 6195->6180 6196 2f1a49f GetTickCount 6197 2f1a491 6196->6197 6200 2f1a4be Sleep 6196->6200 6197->6196 6197->6200 6203 2f1a4b7 GetTickCount 6197->6203 6379 2f1c913 6197->6379 6198->6199 6202 2f19cba 6198->6202 6210 2f19e6b GetEnvironmentVariableA 6199->6210 6211 2f19e04 6199->6211 6200->6197 6556 2f199d2 lstrcpyA 6202->6556 6203->6200 6207 2f1a285 lstrlenA 6204->6207 6220 2f1a239 6204->6220 6207->6220 6210->6211 6212 2f19e7d 6210->6212 6626 2f1ec2e 6211->6626 6213 2f199d2 16 API calls 6212->6213 6214 2f19e9d 6213->6214 6214->6211 6219 2f19eb0 lstrcpyA lstrlenA 6214->6219 6217 2f19d5f 6570 2f16cc9 6217->6570 6218 2f1a3c2 6643 2f198f2 6218->6643 6221 2f19ef4 6219->6221 6639 2f16ec3 6220->6639 6224 2f16dc2 6 API calls 6221->6224 6228 2f19f03 6221->6228 6224->6228 6225 2f1a39d StartServiceCtrlDispatcherA 6225->6218 6226 2f19d72 lstrcpyA lstrcatA lstrcatA 6230 2f19cf6 6226->6230 6227 2f1a3c7 6227->6152 6229 2f19f32 RegOpenKeyExA 6228->6229 6232 2f19f48 RegSetValueExA RegCloseKey 6229->6232 6235 2f19f70 6229->6235 6579 2f19326 6230->6579 6231 2f1a35f 6231->6218 6231->6225 6232->6235 6240 2f19f9d GetModuleHandleA GetModuleFileNameA 6235->6240 6236 2f19e0c DeleteFileA 6236->6199 6237 2f19dde GetFileAttributesExA 6237->6236 6238 2f19df7 6237->6238 6238->6211 6616 2f196ff 6238->6616 6242 2f19fc2 6240->6242 6243 2f1a093 6240->6243 6242->6243 6249 2f19ff1 GetDriveTypeA 6242->6249 6244 2f1a103 CreateProcessA 6243->6244 6245 2f1a0a4 wsprintfA 6243->6245 6246 2f1a13a 6244->6246 6247 2f1a12a DeleteFileA 6244->6247 6622 2f12544 6245->6622 6246->6211 6252 2f196ff 3 API calls 6246->6252 6247->6246 6249->6243 6251 2f1a00d 6249->6251 6255 2f1a02d lstrcatA 6251->6255 6252->6211 6256 2f1a046 6255->6256 6257 2f1a052 lstrcatA 6256->6257 6258 2f1a064 lstrcatA 6256->6258 6257->6258 6258->6243 6259 2f1a081 lstrcatA 6258->6259 6259->6243 6260->6146 6650 2f1dd05 GetTickCount 6261->6650 6263 2f1e538 6658 2f1dbcf 6263->6658 6265 2f1e544 6266 2f1e555 GetFileSize 6265->6266 6270 2f1e5b8 6265->6270 6267 2f1e5b1 CloseHandle 6266->6267 6268 2f1e566 6266->6268 6267->6270 6682 2f1db2e 6268->6682 6668 2f1e3ca RegOpenKeyExA 6270->6668 6272 2f1e576 ReadFile 6272->6267 6274 2f1e58d 6272->6274 6686 2f1e332 6274->6686 6275 2f1e5f2 6278 2f1e3ca 19 API calls 6275->6278 6279 2f1e629 6275->6279 6278->6279 6279->6154 6281 2f1eabe 6280->6281 6283 2f1eaba 6280->6283 6282 2f1dd05 6 API calls 6281->6282 6281->6283 6282->6283 6283->6158 6285 2f1ee2a 6284->6285 6286 2f11db4 GetVersionExA 6285->6286 6287 2f11dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6286->6287 6289 2f11e24 6287->6289 6290 2f11e16 GetCurrentProcess 6287->6290 6744 2f1e819 6289->6744 6290->6289 6292 2f11e3d 6293 2f1e819 11 API calls 6292->6293 6294 2f11e4e 6293->6294 6295 2f11e77 6294->6295 6785 2f1df70 6294->6785 6751 2f1ea84 6295->6751 6298 2f11e6c 6300 2f1df70 12 API calls 6298->6300 6300->6295 6301 2f1e819 11 API calls 6302 2f11e93 6301->6302 6755 2f1199c inet_addr LoadLibraryA 6302->6755 6305 2f1e819 11 API calls 6306 2f11eb9 6305->6306 6307 2f11ed8 6306->6307 6308 2f1f04e 4 API calls 6306->6308 6309 2f1e819 11 API calls 6307->6309 6310 2f11ec9 6308->6310 6311 2f11eee 6309->6311 6312 2f1ea84 30 API calls 6310->6312 6313 2f11f0a 6311->6313 6769 2f11b71 6311->6769 6312->6307 6314 2f1e819 11 API calls 6313->6314 6316 2f11f23 6314->6316 6318 2f11f3f 6316->6318 6773 2f11bdf 6316->6773 6317 2f11efd 6319 2f1ea84 30 API calls 6317->6319 6321 2f1e819 11 API calls 6318->6321 6319->6313 6323 2f11f5e 6321->6323 6325 2f11f77 6323->6325 6326 2f1ea84 30 API calls 6323->6326 6324 2f1ea84 30 API calls 6324->6318 6781 2f130b5 6325->6781 6326->6325 6329 2f16ec3 2 API calls 6331 2f11f8e GetTickCount 6329->6331 6331->6162 6333 2f16ec3 2 API calls 6332->6333 6334 2f180eb 6333->6334 6335 2f180f9 6334->6335 6336 2f180ef 6334->6336 6852 2f1704c 6335->6852 6839 2f17ee6 6336->6839 6339 2f18269 CreateThread 6358 2f15e6c 6339->6358 7313 2f1877e 6339->7313 6340 2f180f4 6340->6339 6342 2f1675c 21 API calls 6340->6342 6341 2f18110 6341->6340 6343 2f18156 RegOpenKeyExA 6341->6343 6348 2f18244 6342->6348 6344 2f18216 6343->6344 6345 2f1816d RegQueryValueExA 6343->6345 6344->6340 6346 2f181f7 6345->6346 6347 2f1818d 6345->6347 6349 2f1820d RegCloseKey 6346->6349 6351 2f1ec2e codecvt 4 API calls 6346->6351 6347->6346 6352 2f1ebcc 4 API calls 6347->6352 6348->6339 6350 2f1ec2e codecvt 4 API calls 6348->6350 6349->6344 6350->6339 6357 2f181dd 6351->6357 6353 2f181a0 6352->6353 6353->6349 6354 2f181aa RegQueryValueExA 6353->6354 6354->6346 6355 2f181c4 6354->6355 6356 2f1ebcc 4 API calls 6355->6356 6356->6357 6357->6349 6954 2f1ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6358->6954 6360 2f15e71 6955 2f1e654 6360->6955 6362 2f15ec1 6363 2f13132 6362->6363 6364 2f1df70 12 API calls 6363->6364 6365 2f1313b 6364->6365 6366 2f1c125 6365->6366 6966 2f1ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6366->6966 6368 2f1c12d 6369 2f1e654 13 API calls 6368->6369 6370 2f1c2bd 6369->6370 6371 2f1e654 13 API calls 6370->6371 6372 2f1c2c9 6371->6372 6373 2f1e654 13 API calls 6372->6373 6374 2f1a47a 6373->6374 6375 2f18db1 6374->6375 6376 2f18dbc 6375->6376 6377 2f1e654 13 API calls 6376->6377 6378 2f18dec Sleep 6377->6378 6378->6197 6380 2f1c92f 6379->6380 6381 2f1c93c 6380->6381 6978 2f1c517 6380->6978 6383 2f1ca2b 6381->6383 6384 2f1e819 11 API calls 6381->6384 6383->6197 6385 2f1c96a 6384->6385 6386 2f1e819 11 API calls 6385->6386 6387 2f1c97d 6386->6387 6388 2f1e819 11 API calls 6387->6388 6389 2f1c990 6388->6389 6390 2f1c9aa 6389->6390 6391 2f1ebcc 4 API calls 6389->6391 6390->6383 6967 2f12684 6390->6967 6391->6390 6396 2f1ca26 6995 2f1c8aa 6396->6995 6399 2f1ca44 6400 2f1ca4b closesocket 6399->6400 6401 2f1ca83 6399->6401 6400->6396 6402 2f1ea84 30 API calls 6401->6402 6403 2f1caac 6402->6403 6404 2f1f04e 4 API calls 6403->6404 6405 2f1cab2 6404->6405 6406 2f1ea84 30 API calls 6405->6406 6407 2f1caca 6406->6407 6408 2f1ea84 30 API calls 6407->6408 6409 2f1cad9 6408->6409 6999 2f1c65c 6409->6999 6412 2f1cb60 closesocket 6412->6383 6414 2f1dad2 closesocket 6415 2f1e318 23 API calls 6414->6415 6416 2f1dae0 6415->6416 6416->6383 6417 2f1df4c 20 API calls 6421 2f1cb70 6417->6421 6421->6414 6421->6417 6424 2f1e654 13 API calls 6421->6424 6427 2f1c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6421->6427 6428 2f1f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6421->6428 6431 2f1ea84 30 API calls 6421->6431 6432 2f1d569 closesocket Sleep 6421->6432 6433 2f1d815 wsprintfA 6421->6433 6434 2f1cc1c GetTempPathA 6421->6434 6435 2f1c517 23 API calls 6421->6435 6437 2f17ead 6 API calls 6421->6437 6438 2f1e8a1 30 API calls 6421->6438 6440 2f1ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6421->6440 6441 2f1cfe3 GetSystemDirectoryA 6421->6441 6442 2f1cfad GetEnvironmentVariableA 6421->6442 6443 2f1675c 21 API calls 6421->6443 6444 2f1d027 GetSystemDirectoryA 6421->6444 6445 2f1d105 lstrcatA 6421->6445 6446 2f1ef1e lstrlenA 6421->6446 6447 2f1cc9f CreateFileA 6421->6447 6449 2f18e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6421->6449 6450 2f1d15b CreateFileA 6421->6450 6455 2f1d149 SetFileAttributesA 6421->6455 6456 2f1d36e GetEnvironmentVariableA 6421->6456 6457 2f1d1bf SetFileAttributesA 6421->6457 6459 2f1d22d GetEnvironmentVariableA 6421->6459 6461 2f1d3af lstrcatA 6421->6461 6462 2f1d3f2 CreateFileA 6421->6462 6464 2f17fcf 64 API calls 6421->6464 6470 2f1d3e0 SetFileAttributesA 6421->6470 6471 2f1d26e lstrcatA 6421->6471 6473 2f1d4b1 CreateProcessA 6421->6473 6474 2f1d2b1 CreateFileA 6421->6474 6476 2f1d452 SetFileAttributesA 6421->6476 6478 2f17ee6 64 API calls 6421->6478 6479 2f1d29f SetFileAttributesA 6421->6479 6482 2f1d31d SetFileAttributesA 6421->6482 7007 2f1c75d 6421->7007 7019 2f17e2f 6421->7019 7041 2f17ead 6421->7041 7051 2f131d0 6421->7051 7068 2f13c09 6421->7068 7078 2f13a00 6421->7078 7082 2f1e7b4 6421->7082 7085 2f1c06c 6421->7085 7091 2f16f5f GetUserNameA 6421->7091 7102 2f1e854 6421->7102 7112 2f17dd6 6421->7112 6424->6421 6427->6421 6428->6421 6431->6421 7046 2f1e318 6432->7046 6433->6421 6434->6421 6435->6421 6437->6421 6438->6421 6439 2f1d582 ExitProcess 6440->6421 6441->6421 6442->6421 6443->6421 6444->6421 6445->6421 6446->6421 6447->6421 6448 2f1ccc6 WriteFile 6447->6448 6451 2f1cced CloseHandle 6448->6451 6452 2f1cdcc CloseHandle 6448->6452 6449->6421 6450->6421 6453 2f1d182 WriteFile CloseHandle 6450->6453 6458 2f1cd2f 6451->6458 6452->6421 6453->6421 6454 2f1cd16 wsprintfA 6454->6458 6455->6450 6456->6421 6457->6421 6458->6454 7028 2f17fcf 6458->7028 6459->6421 6461->6421 6461->6462 6462->6421 6465 2f1d415 WriteFile CloseHandle 6462->6465 6464->6421 6465->6421 6466 2f1cd81 WaitForSingleObject CloseHandle CloseHandle 6468 2f1f04e 4 API calls 6466->6468 6467 2f1cda5 6469 2f17ee6 64 API calls 6467->6469 6468->6467 6472 2f1cdbd DeleteFileA 6469->6472 6470->6462 6471->6421 6471->6474 6472->6421 6473->6421 6475 2f1d4e8 CloseHandle CloseHandle 6473->6475 6474->6421 6477 2f1d2d8 WriteFile CloseHandle 6474->6477 6475->6421 6476->6421 6477->6421 6478->6421 6479->6474 6482->6421 6484 2f16784 CreateFileA 6483->6484 6485 2f1677a SetFileAttributesA 6483->6485 6486 2f167b5 6484->6486 6487 2f167a4 CreateFileA 6484->6487 6485->6484 6488 2f167c5 6486->6488 6489 2f167ba SetFileAttributesA 6486->6489 6487->6486 6490 2f16977 6488->6490 6491 2f167cf GetFileSize 6488->6491 6489->6488 6490->6180 6511 2f16a60 CreateFileA 6490->6511 6492 2f167e5 6491->6492 6510 2f16965 6491->6510 6494 2f167ed ReadFile 6492->6494 6492->6510 6493 2f1696e FindCloseChangeNotification 6493->6490 6495 2f16811 SetFilePointer 6494->6495 6494->6510 6496 2f1682a ReadFile 6495->6496 6495->6510 6497 2f16848 SetFilePointer 6496->6497 6496->6510 6498 2f16867 6497->6498 6497->6510 6499 2f168d5 6498->6499 6500 2f16878 ReadFile 6498->6500 6499->6493 6502 2f1ebcc 4 API calls 6499->6502 6501 2f16891 6500->6501 6505 2f168d0 6500->6505 6501->6500 6501->6505 6503 2f168f8 6502->6503 6504 2f16900 SetFilePointer 6503->6504 6503->6510 6506 2f1695a 6504->6506 6507 2f1690d ReadFile 6504->6507 6505->6499 6509 2f1ec2e codecvt 4 API calls 6506->6509 6507->6506 6508 2f16922 6507->6508 6508->6493 6509->6510 6510->6493 6512 2f16b8c GetLastError 6511->6512 6513 2f16a8f GetDiskFreeSpaceA 6511->6513 6515 2f16b86 6512->6515 6514 2f16ac5 6513->6514 6523 2f16ad7 6513->6523 7197 2f1eb0e 6514->7197 6515->6195 6519 2f16b56 CloseHandle 6519->6515 6522 2f16b65 GetLastError CloseHandle 6519->6522 6520 2f16b36 GetLastError CloseHandle 6521 2f16b7f DeleteFileA 6520->6521 6521->6515 6522->6521 7201 2f16987 6523->7201 6525 2f196b9 6524->6525 6526 2f173ff 17 API calls 6525->6526 6527 2f196e2 6526->6527 6528 2f196f7 6527->6528 6529 2f1704c 16 API calls 6527->6529 6528->6172 6528->6173 6529->6528 6531 2f142a5 6530->6531 6532 2f1429d 6530->6532 7207 2f13ecd 6531->7207 6532->6176 6532->6191 6534 2f142b0 7211 2f14000 6534->7211 6536 2f143c1 CloseHandle 6536->6532 6537 2f142b6 6537->6532 6537->6536 7217 2f13f18 WriteFile 6537->7217 6542 2f143ba CloseHandle 6542->6536 6543 2f14318 6544 2f13f18 4 API calls 6543->6544 6545 2f14331 6544->6545 6546 2f13f18 4 API calls 6545->6546 6547 2f1434a 6546->6547 6548 2f1ebcc 4 API calls 6547->6548 6549 2f14350 6548->6549 6550 2f13f18 4 API calls 6549->6550 6551 2f14389 6550->6551 6552 2f1ec2e codecvt 4 API calls 6551->6552 6553 2f1438f 6552->6553 6554 2f13f8c 4 API calls 6553->6554 6555 2f1439f CloseHandle CloseHandle 6554->6555 6555->6532 6557 2f199eb 6556->6557 6558 2f19a2f lstrcatA 6557->6558 6559 2f1ee2a 6558->6559 6560 2f19a4b lstrcatA 6559->6560 6561 2f16a60 13 API calls 6560->6561 6562 2f19a60 6561->6562 6562->6199 6562->6230 6563 2f16dc2 6562->6563 6564 2f16e33 6563->6564 6565 2f16dd7 6563->6565 6564->6217 6566 2f16cc9 5 API calls 6565->6566 6567 2f16ddc 6566->6567 6567->6567 6568 2f16e02 GetVolumeInformationA 6567->6568 6569 2f16e24 6567->6569 6568->6569 6569->6564 6571 2f16cdc GetModuleHandleA GetProcAddress 6570->6571 6577 2f16d8b 6570->6577 6572 2f16d12 GetSystemDirectoryA 6571->6572 6573 2f16cfd 6571->6573 6574 2f16d27 GetWindowsDirectoryA 6572->6574 6575 2f16d1e 6572->6575 6573->6572 6573->6577 6576 2f16d42 6574->6576 6575->6574 6575->6577 6578 2f1ef1e lstrlenA 6576->6578 6577->6226 6578->6577 7225 2f11910 6579->7225 6582 2f1934a GetModuleHandleA GetModuleFileNameA 6584 2f1937f 6582->6584 6585 2f193a4 6584->6585 6586 2f193d9 6584->6586 6587 2f193c3 wsprintfA 6585->6587 6588 2f19401 wsprintfA 6586->6588 6589 2f19415 6587->6589 6588->6589 6592 2f16cc9 5 API calls 6589->6592 6613 2f194a0 6589->6613 6590 2f16edd 5 API calls 6591 2f194ac 6590->6591 6594 2f1962f 6591->6594 6595 2f194e8 RegOpenKeyExA 6591->6595 6593 2f19439 6592->6593 6602 2f1ef1e lstrlenA 6593->6602 6598 2f19646 6594->6598 7240 2f11820 6594->7240 6596 2f19502 6595->6596 6597 2f194fb 6595->6597 6601 2f1951f RegQueryValueExA 6596->6601 6597->6594 6603 2f1958a 6597->6603 6609 2f195d6 6598->6609 7246 2f191eb 6598->7246 6604 2f19530 6601->6604 6605 2f19539 6601->6605 6606 2f19462 6602->6606 6603->6598 6607 2f19593 6603->6607 6608 2f1956e RegCloseKey 6604->6608 6610 2f19556 RegQueryValueExA 6605->6610 6611 2f1947e wsprintfA 6606->6611 6607->6609 7227 2f1f0e4 6607->7227 6608->6597 6609->6236 6609->6237 6610->6604 6610->6608 6611->6613 6613->6590 6614 2f195bb 6614->6609 7234 2f118e0 6614->7234 6617 2f12544 6616->6617 6618 2f1972d RegOpenKeyExA 6617->6618 6619 2f19740 6618->6619 6621 2f19765 6618->6621 6620 2f1974f RegDeleteValueA RegCloseKey 6619->6620 6620->6621 6621->6211 6623 2f12554 lstrcatA 6622->6623 6624 2f1ee2a 6623->6624 6625 2f1a0ec lstrcatA 6624->6625 6625->6244 6627 2f1ec37 6626->6627 6628 2f1a15d 6626->6628 6629 2f1eba0 codecvt 2 API calls 6627->6629 6628->6176 6628->6180 6630 2f1ec3d GetProcessHeap RtlFreeHeap 6629->6630 6630->6628 6632 2f12544 6631->6632 6633 2f1919e wsprintfA 6632->6633 6634 2f191bb 6633->6634 7284 2f19064 GetTempPathA 6634->7284 6637 2f191d5 ShellExecuteA 6638 2f191e7 6637->6638 6638->6195 6640 2f16ed5 6639->6640 6641 2f16ecc 6639->6641 6640->6231 6642 2f16e36 2 API calls 6641->6642 6642->6640 6644 2f198f6 6643->6644 6645 2f14280 30 API calls 6644->6645 6646 2f19904 Sleep 6644->6646 6647 2f19915 6644->6647 6645->6644 6646->6644 6646->6647 6649 2f19947 6647->6649 7291 2f1977c 6647->7291 6649->6227 6651 2f1dd41 InterlockedExchange 6650->6651 6652 2f1dd20 GetCurrentThreadId 6651->6652 6653 2f1dd4a 6651->6653 6654 2f1dd53 GetCurrentThreadId 6652->6654 6655 2f1dd2e GetTickCount 6652->6655 6653->6654 6654->6263 6656 2f1dd39 Sleep 6655->6656 6657 2f1dd4c 6655->6657 6656->6651 6657->6654 6659 2f1dbf0 6658->6659 6691 2f1db67 GetEnvironmentVariableA 6659->6691 6661 2f1dc19 6662 2f1dcda 6661->6662 6663 2f1db67 3 API calls 6661->6663 6662->6265 6664 2f1dc5c 6663->6664 6664->6662 6665 2f1db67 3 API calls 6664->6665 6666 2f1dc9b 6665->6666 6666->6662 6667 2f1db67 3 API calls 6666->6667 6667->6662 6669 2f1e528 6668->6669 6670 2f1e3f4 6668->6670 6669->6275 6671 2f1e434 RegQueryValueExA 6670->6671 6672 2f1e458 6671->6672 6673 2f1e51d RegCloseKey 6671->6673 6674 2f1e46e RegQueryValueExA 6672->6674 6673->6669 6674->6672 6675 2f1e488 6674->6675 6675->6673 6676 2f1db2e 8 API calls 6675->6676 6677 2f1e499 6676->6677 6677->6673 6678 2f1e4b9 RegQueryValueExA 6677->6678 6679 2f1e4e8 6677->6679 6678->6677 6678->6679 6679->6673 6680 2f1e332 14 API calls 6679->6680 6681 2f1e513 6680->6681 6681->6673 6683 2f1db55 6682->6683 6684 2f1db3a 6682->6684 6683->6267 6683->6272 6695 2f1ebed 6684->6695 6713 2f1f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6686->6713 6688 2f1e3be 6688->6267 6689 2f1e342 6689->6688 6716 2f1de24 6689->6716 6692 2f1db89 lstrcpyA CreateFileA 6691->6692 6693 2f1dbca 6691->6693 6692->6661 6693->6661 6696 2f1ec01 6695->6696 6697 2f1ebf6 6695->6697 6707 2f1eba0 6696->6707 6704 2f1ebcc GetProcessHeap RtlAllocateHeap 6697->6704 6705 2f1eb74 2 API calls 6704->6705 6706 2f1ebe8 6705->6706 6706->6683 6708 2f1eba7 GetProcessHeap HeapSize 6707->6708 6709 2f1ebbf GetProcessHeap RtlReAllocateHeap 6707->6709 6708->6709 6710 2f1eb74 6709->6710 6711 2f1eb7b GetProcessHeap HeapSize 6710->6711 6712 2f1eb93 6710->6712 6711->6712 6712->6683 6727 2f1eb41 6713->6727 6715 2f1f0b7 6715->6689 6717 2f1de3a 6716->6717 6724 2f1de4e 6717->6724 6736 2f1dd84 6717->6736 6720 2f1de9e 6721 2f1ebed 8 API calls 6720->6721 6720->6724 6725 2f1def6 6721->6725 6722 2f1de76 6740 2f1ddcf 6722->6740 6724->6689 6725->6724 6726 2f1ddcf lstrcmpA 6725->6726 6726->6724 6728 2f1eb4a 6727->6728 6730 2f1eb61 6727->6730 6732 2f1eae4 6728->6732 6730->6715 6731 2f1eb54 6731->6715 6731->6730 6733 2f1eb02 GetProcAddress 6732->6733 6734 2f1eaed LoadLibraryA 6732->6734 6733->6731 6734->6733 6735 2f1eb01 6734->6735 6735->6731 6737 2f1dd96 6736->6737 6738 2f1ddc5 6736->6738 6737->6738 6739 2f1ddad lstrcmpiA 6737->6739 6738->6720 6738->6722 6739->6737 6739->6738 6741 2f1dddd 6740->6741 6743 2f1de20 6740->6743 6742 2f1ddfa lstrcmpA 6741->6742 6741->6743 6742->6741 6743->6724 6745 2f1dd05 6 API calls 6744->6745 6746 2f1e821 6745->6746 6747 2f1dd84 lstrcmpiA 6746->6747 6748 2f1e82c 6747->6748 6749 2f1e844 6748->6749 6794 2f12480 6748->6794 6749->6292 6752 2f1ea98 6751->6752 6803 2f1e8a1 6752->6803 6754 2f11e84 6754->6301 6756 2f119d5 GetProcAddress GetProcAddress GetProcAddress 6755->6756 6757 2f119ce 6755->6757 6758 2f11ab3 FreeLibrary 6756->6758 6759 2f11a04 6756->6759 6757->6305 6758->6757 6759->6758 6760 2f11a14 GetBestInterface GetProcessHeap 6759->6760 6760->6757 6761 2f11a2e HeapAlloc 6760->6761 6761->6757 6762 2f11a42 GetAdaptersInfo 6761->6762 6763 2f11a62 6762->6763 6764 2f11a52 HeapReAlloc 6762->6764 6765 2f11aa1 FreeLibrary 6763->6765 6766 2f11a69 GetAdaptersInfo 6763->6766 6764->6763 6765->6757 6766->6765 6767 2f11a75 HeapFree 6766->6767 6767->6765 6831 2f11ac3 LoadLibraryA 6769->6831 6772 2f11bcf 6772->6317 6774 2f11ac3 13 API calls 6773->6774 6775 2f11c09 6774->6775 6776 2f11c5a 6775->6776 6777 2f11c0d GetComputerNameA 6775->6777 6776->6324 6778 2f11c45 GetVolumeInformationA 6777->6778 6779 2f11c1f 6777->6779 6778->6776 6779->6778 6780 2f11c41 6779->6780 6780->6776 6782 2f1ee2a 6781->6782 6783 2f130d0 gethostname gethostbyname 6782->6783 6784 2f11f82 6783->6784 6784->6329 6784->6331 6786 2f1dd05 6 API calls 6785->6786 6787 2f1df7c 6786->6787 6788 2f1dd84 lstrcmpiA 6787->6788 6793 2f1df89 6788->6793 6789 2f1dfc4 6789->6298 6790 2f1ddcf lstrcmpA 6790->6793 6791 2f1ec2e codecvt 4 API calls 6791->6793 6792 2f1dd84 lstrcmpiA 6792->6793 6793->6789 6793->6790 6793->6791 6793->6792 6797 2f12419 lstrlenA 6794->6797 6796 2f12491 6796->6749 6798 2f12474 6797->6798 6799 2f1243d lstrlenA 6797->6799 6798->6796 6800 2f12464 lstrlenA 6799->6800 6801 2f1244e lstrcmpiA 6799->6801 6800->6798 6800->6799 6801->6800 6802 2f1245c 6801->6802 6802->6798 6802->6800 6804 2f1dd05 6 API calls 6803->6804 6805 2f1e8b4 6804->6805 6806 2f1dd84 lstrcmpiA 6805->6806 6807 2f1e8c0 6806->6807 6808 2f1e8c8 lstrcpynA 6807->6808 6817 2f1e90a 6807->6817 6810 2f1e8f5 6808->6810 6809 2f12419 4 API calls 6811 2f1e926 lstrlenA lstrlenA 6809->6811 6824 2f1df4c 6810->6824 6812 2f1e94c lstrlenA 6811->6812 6815 2f1e96a 6811->6815 6812->6815 6814 2f1e901 6816 2f1dd84 lstrcmpiA 6814->6816 6818 2f1ebcc 4 API calls 6815->6818 6819 2f1ea27 6815->6819 6816->6817 6817->6809 6817->6819 6820 2f1e98f 6818->6820 6819->6754 6820->6819 6821 2f1df4c 20 API calls 6820->6821 6822 2f1ea1e 6821->6822 6823 2f1ec2e codecvt 4 API calls 6822->6823 6823->6819 6825 2f1dd05 6 API calls 6824->6825 6826 2f1df51 6825->6826 6827 2f1f04e 4 API calls 6826->6827 6828 2f1df58 6827->6828 6829 2f1de24 10 API calls 6828->6829 6830 2f1df63 6829->6830 6830->6814 6832 2f11ae2 GetProcAddress 6831->6832 6833 2f11b68 GetComputerNameA GetVolumeInformationA 6831->6833 6832->6833 6834 2f11af5 6832->6834 6833->6772 6835 2f11b1c GetAdaptersAddresses 6834->6835 6836 2f1ebed 8 API calls 6834->6836 6837 2f11b29 6834->6837 6835->6834 6835->6837 6836->6834 6837->6833 6838 2f1ec2e codecvt 4 API calls 6837->6838 6838->6833 6840 2f16ec3 2 API calls 6839->6840 6841 2f17ef4 6840->6841 6851 2f17fc9 6841->6851 6875 2f173ff 6841->6875 6843 2f17f16 6843->6851 6895 2f17809 GetUserNameA 6843->6895 6845 2f17f63 6845->6851 6919 2f1ef1e lstrlenA 6845->6919 6848 2f1ef1e lstrlenA 6849 2f17fb7 6848->6849 6921 2f17a95 RegOpenKeyExA 6849->6921 6851->6340 6853 2f17073 6852->6853 6854 2f170b9 RegOpenKeyExA 6853->6854 6855 2f170d0 6854->6855 6869 2f171b8 6854->6869 6856 2f16dc2 6 API calls 6855->6856 6859 2f170d5 6856->6859 6857 2f1719b RegEnumValueA 6858 2f171af RegCloseKey 6857->6858 6857->6859 6858->6869 6859->6857 6861 2f171d0 6859->6861 6952 2f1f1a5 lstrlenA 6859->6952 6862 2f17205 RegCloseKey 6861->6862 6863 2f17227 6861->6863 6862->6869 6864 2f172b8 ___ascii_stricmp 6863->6864 6865 2f1728e RegCloseKey 6863->6865 6866 2f172cd RegCloseKey 6864->6866 6867 2f172dd 6864->6867 6865->6869 6866->6869 6868 2f17311 RegCloseKey 6867->6868 6871 2f17335 6867->6871 6868->6869 6869->6341 6870 2f173d5 RegCloseKey 6872 2f173e4 6870->6872 6871->6870 6873 2f1737e GetFileAttributesExA 6871->6873 6874 2f17397 6871->6874 6873->6874 6874->6870 6876 2f1741b 6875->6876 6877 2f16dc2 6 API calls 6876->6877 6878 2f1743f 6877->6878 6879 2f17469 RegOpenKeyExA 6878->6879 6880 2f177f9 6879->6880 6891 2f17487 ___ascii_stricmp 6879->6891 6880->6843 6881 2f17703 RegEnumKeyA 6882 2f17714 RegCloseKey 6881->6882 6881->6891 6882->6880 6883 2f1f1a5 lstrlenA 6883->6891 6884 2f174d2 RegOpenKeyExA 6884->6891 6885 2f1772c 6887 2f17742 RegCloseKey 6885->6887 6888 2f1774b 6885->6888 6886 2f17521 RegQueryValueExA 6886->6891 6887->6888 6889 2f177ec RegCloseKey 6888->6889 6889->6880 6890 2f176e4 RegCloseKey 6890->6891 6891->6881 6891->6883 6891->6884 6891->6885 6891->6886 6891->6890 6893 2f1777e GetFileAttributesExA 6891->6893 6894 2f17769 6891->6894 6892 2f177e3 RegCloseKey 6892->6889 6893->6894 6894->6892 6896 2f1783d LookupAccountNameA 6895->6896 6897 2f17a8d 6895->6897 6896->6897 6898 2f17874 GetLengthSid GetFileSecurityA 6896->6898 6897->6845 6898->6897 6899 2f178a8 GetSecurityDescriptorOwner 6898->6899 6900 2f178c5 EqualSid 6899->6900 6901 2f1791d GetSecurityDescriptorDacl 6899->6901 6900->6901 6902 2f178dc LocalAlloc 6900->6902 6901->6897 6916 2f17941 6901->6916 6902->6901 6903 2f178ef InitializeSecurityDescriptor 6902->6903 6905 2f17916 LocalFree 6903->6905 6906 2f178fb SetSecurityDescriptorOwner 6903->6906 6904 2f1795b GetAce 6904->6916 6905->6901 6906->6905 6907 2f1790b SetFileSecurityA 6906->6907 6907->6905 6908 2f17980 EqualSid 6908->6916 6909 2f17a3d 6909->6897 6912 2f17a43 LocalAlloc 6909->6912 6910 2f179be EqualSid 6910->6916 6911 2f1799d DeleteAce 6911->6916 6912->6897 6913 2f17a56 InitializeSecurityDescriptor 6912->6913 6914 2f17a62 SetSecurityDescriptorDacl 6913->6914 6915 2f17a86 LocalFree 6913->6915 6914->6915 6917 2f17a73 SetFileSecurityA 6914->6917 6915->6897 6916->6897 6916->6904 6916->6908 6916->6909 6916->6910 6916->6911 6917->6915 6918 2f17a83 6917->6918 6918->6915 6920 2f17fa6 6919->6920 6920->6848 6922 2f17ac4 6921->6922 6923 2f17acb GetUserNameA 6921->6923 6922->6851 6924 2f17da7 RegCloseKey 6923->6924 6925 2f17aed LookupAccountNameA 6923->6925 6924->6922 6925->6924 6926 2f17b24 RegGetKeySecurity 6925->6926 6926->6924 6927 2f17b49 GetSecurityDescriptorOwner 6926->6927 6928 2f17b63 EqualSid 6927->6928 6929 2f17bb8 GetSecurityDescriptorDacl 6927->6929 6928->6929 6930 2f17b74 LocalAlloc 6928->6930 6931 2f17da6 6929->6931 6938 2f17bdc 6929->6938 6930->6929 6932 2f17b8a InitializeSecurityDescriptor 6930->6932 6931->6924 6934 2f17bb1 LocalFree 6932->6934 6935 2f17b96 SetSecurityDescriptorOwner 6932->6935 6933 2f17bf8 GetAce 6933->6938 6934->6929 6935->6934 6936 2f17ba6 RegSetKeySecurity 6935->6936 6936->6934 6937 2f17c1d EqualSid 6937->6938 6938->6931 6938->6933 6938->6937 6939 2f17cd9 6938->6939 6940 2f17c5f EqualSid 6938->6940 6941 2f17c3a DeleteAce 6938->6941 6939->6931 6942 2f17d5a LocalAlloc 6939->6942 6943 2f17cf2 RegOpenKeyExA 6939->6943 6940->6938 6941->6938 6942->6931 6944 2f17d70 InitializeSecurityDescriptor 6942->6944 6943->6942 6949 2f17d0f 6943->6949 6945 2f17d7c SetSecurityDescriptorDacl 6944->6945 6946 2f17d9f LocalFree 6944->6946 6945->6946 6947 2f17d8c RegSetKeySecurity 6945->6947 6946->6931 6947->6946 6948 2f17d9c 6947->6948 6948->6946 6950 2f17d43 RegSetValueExA 6949->6950 6950->6942 6951 2f17d54 6950->6951 6951->6942 6953 2f1f1c3 6952->6953 6953->6859 6954->6360 6956 2f1dd05 6 API calls 6955->6956 6959 2f1e65f 6956->6959 6957 2f1e6a5 6958 2f1ebcc 4 API calls 6957->6958 6965 2f1e6f5 6957->6965 6961 2f1e6b0 6958->6961 6959->6957 6960 2f1e68c lstrcmpA 6959->6960 6960->6959 6963 2f1e6b7 6961->6963 6964 2f1e6e0 lstrcpynA 6961->6964 6961->6965 6962 2f1e71d lstrcmpA 6962->6965 6963->6362 6964->6965 6965->6962 6965->6963 6966->6368 6968 2f12692 inet_addr 6967->6968 6969 2f1268e 6967->6969 6968->6969 6970 2f1269e gethostbyname 6968->6970 6971 2f1f428 6969->6971 6970->6969 7119 2f1f315 6971->7119 6974 2f1f43e 6975 2f1f473 recv 6974->6975 6976 2f1f458 6975->6976 6977 2f1f47c 6975->6977 6976->6975 6976->6977 6977->6399 6979 2f1c525 6978->6979 6980 2f1c532 6978->6980 6979->6980 6983 2f1ec2e codecvt 4 API calls 6979->6983 6981 2f1c548 6980->6981 7132 2f1e7ff 6980->7132 6984 2f1e7ff lstrcmpiA 6981->6984 6992 2f1c54f 6981->6992 6983->6980 6985 2f1c615 6984->6985 6986 2f1ebcc 4 API calls 6985->6986 6985->6992 6986->6992 6987 2f1c5d1 6990 2f1ebcc 4 API calls 6987->6990 6989 2f1e819 11 API calls 6991 2f1c5b7 6989->6991 6990->6992 6993 2f1f04e 4 API calls 6991->6993 6992->6381 6994 2f1c5bf 6993->6994 6994->6981 6994->6987 6997 2f1c8d2 6995->6997 6996 2f1c907 6996->6383 6997->6996 6998 2f1c517 23 API calls 6997->6998 6998->6996 7000 2f1c670 6999->7000 7001 2f1c67d 6999->7001 7002 2f1ebcc 4 API calls 7000->7002 7003 2f1c699 7001->7003 7004 2f1ebcc 4 API calls 7001->7004 7002->7001 7005 2f1c6f3 7003->7005 7006 2f1c73c send 7003->7006 7004->7003 7005->6412 7005->6421 7006->7005 7008 2f1c770 7007->7008 7009 2f1c77d 7007->7009 7010 2f1ebcc 4 API calls 7008->7010 7011 2f1c799 7009->7011 7012 2f1ebcc 4 API calls 7009->7012 7010->7009 7013 2f1c7b5 7011->7013 7014 2f1ebcc 4 API calls 7011->7014 7012->7011 7015 2f1f43e recv 7013->7015 7014->7013 7016 2f1c7cb 7015->7016 7017 2f1f43e recv 7016->7017 7018 2f1c7d3 7016->7018 7017->7018 7018->6421 7135 2f17db7 7019->7135 7022 2f17e96 7022->6421 7023 2f17e70 7023->7022 7025 2f1f04e 4 API calls 7023->7025 7024 2f1f04e 4 API calls 7026 2f17e4c 7024->7026 7025->7022 7026->7023 7027 2f1f04e 4 API calls 7026->7027 7027->7023 7029 2f16ec3 2 API calls 7028->7029 7030 2f17fdd 7029->7030 7031 2f173ff 17 API calls 7030->7031 7040 2f180c2 CreateProcessA 7030->7040 7032 2f17fff 7031->7032 7033 2f17809 21 API calls 7032->7033 7032->7040 7034 2f1804d 7033->7034 7035 2f1ef1e lstrlenA 7034->7035 7034->7040 7036 2f1809e 7035->7036 7037 2f1ef1e lstrlenA 7036->7037 7038 2f180af 7037->7038 7039 2f17a95 24 API calls 7038->7039 7039->7040 7040->6466 7040->6467 7042 2f17db7 2 API calls 7041->7042 7043 2f17eb8 7042->7043 7044 2f1f04e 4 API calls 7043->7044 7045 2f17ece DeleteFileA 7044->7045 7045->6421 7047 2f1dd05 6 API calls 7046->7047 7048 2f1e31d 7047->7048 7139 2f1e177 7048->7139 7050 2f1e326 7050->6439 7052 2f131f3 7051->7052 7061 2f131ec 7051->7061 7053 2f1ebcc 4 API calls 7052->7053 7062 2f131fc 7053->7062 7054 2f13459 7056 2f1f04e 4 API calls 7054->7056 7055 2f1349d 7057 2f1ec2e codecvt 4 API calls 7055->7057 7058 2f1345f 7056->7058 7057->7061 7059 2f130fa 4 API calls 7058->7059 7059->7061 7060 2f1ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7060->7062 7061->6421 7062->7060 7062->7061 7063 2f1344d 7062->7063 7065 2f1344b 7062->7065 7067 2f13141 lstrcmpiA 7062->7067 7165 2f130fa GetTickCount 7062->7165 7064 2f1ec2e codecvt 4 API calls 7063->7064 7064->7065 7065->7054 7065->7055 7067->7062 7069 2f130fa 4 API calls 7068->7069 7070 2f13c1a 7069->7070 7071 2f13ce6 7070->7071 7170 2f13a72 7070->7170 7071->6421 7074 2f13a72 9 API calls 7077 2f13c5e 7074->7077 7075 2f13a72 9 API calls 7075->7077 7076 2f1ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7076->7077 7077->7071 7077->7075 7077->7076 7079 2f13a10 7078->7079 7080 2f130fa 4 API calls 7079->7080 7081 2f13a1a 7080->7081 7081->6421 7083 2f1dd05 6 API calls 7082->7083 7084 2f1e7be 7083->7084 7084->6421 7086 2f1c105 7085->7086 7087 2f1c07e wsprintfA 7085->7087 7086->6421 7179 2f1bfce GetTickCount wsprintfA 7087->7179 7089 2f1c0ef 7180 2f1bfce GetTickCount wsprintfA 7089->7180 7092 2f17047 7091->7092 7093 2f16f88 LookupAccountNameA 7091->7093 7092->6421 7095 2f17025 7093->7095 7096 2f16fcb 7093->7096 7181 2f16edd 7095->7181 7098 2f16fdb ConvertSidToStringSidA 7096->7098 7098->7095 7100 2f16ff1 7098->7100 7101 2f17013 LocalFree 7100->7101 7101->7095 7103 2f1dd05 6 API calls 7102->7103 7104 2f1e85c 7103->7104 7105 2f1dd84 lstrcmpiA 7104->7105 7106 2f1e867 7105->7106 7107 2f1e885 lstrcpyA 7106->7107 7192 2f124a5 7106->7192 7195 2f1dd69 7107->7195 7113 2f17db7 2 API calls 7112->7113 7114 2f17de1 7113->7114 7115 2f17e16 7114->7115 7116 2f1f04e 4 API calls 7114->7116 7115->6421 7117 2f17df2 7116->7117 7117->7115 7118 2f1f04e 4 API calls 7117->7118 7118->7115 7120 2f1ca1d 7119->7120 7121 2f1f33b 7119->7121 7120->6396 7120->6974 7122 2f1f347 htons socket 7121->7122 7123 2f1f382 ioctlsocket 7122->7123 7124 2f1f374 closesocket 7122->7124 7125 2f1f3aa connect select 7123->7125 7126 2f1f39d 7123->7126 7124->7120 7125->7120 7128 2f1f3f2 __WSAFDIsSet 7125->7128 7127 2f1f39f closesocket 7126->7127 7127->7120 7128->7127 7129 2f1f403 ioctlsocket 7128->7129 7131 2f1f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7129->7131 7131->7120 7133 2f1dd84 lstrcmpiA 7132->7133 7134 2f1c58e 7133->7134 7134->6981 7134->6987 7134->6989 7136 2f17dc8 InterlockedExchange 7135->7136 7137 2f17dc0 Sleep 7136->7137 7138 2f17dd4 7136->7138 7137->7136 7138->7023 7138->7024 7140 2f1e184 7139->7140 7141 2f1e2e4 7140->7141 7142 2f1e223 7140->7142 7155 2f1dfe2 7140->7155 7141->7050 7142->7141 7144 2f1dfe2 8 API calls 7142->7144 7149 2f1e23c 7144->7149 7145 2f1e1be 7145->7142 7146 2f1dbcf 3 API calls 7145->7146 7148 2f1e1d6 7146->7148 7147 2f1e21a CloseHandle 7147->7142 7148->7142 7148->7147 7150 2f1e1f9 WriteFile 7148->7150 7149->7141 7159 2f1e095 RegCreateKeyExA 7149->7159 7150->7147 7152 2f1e213 7150->7152 7152->7147 7153 2f1e2a3 7153->7141 7154 2f1e095 4 API calls 7153->7154 7154->7141 7156 2f1dffc 7155->7156 7158 2f1e024 7155->7158 7157 2f1db2e 8 API calls 7156->7157 7156->7158 7157->7158 7158->7145 7160 2f1e172 7159->7160 7163 2f1e0c0 7159->7163 7160->7153 7161 2f1e13d 7162 2f1e14e RegDeleteValueA RegCloseKey 7161->7162 7162->7160 7163->7161 7164 2f1e115 RegSetValueExA 7163->7164 7164->7161 7164->7163 7166 2f13122 InterlockedExchange 7165->7166 7167 2f1310f GetTickCount 7166->7167 7168 2f1312e 7166->7168 7167->7168 7169 2f1311a Sleep 7167->7169 7168->7062 7169->7166 7171 2f1f04e 4 API calls 7170->7171 7178 2f13a83 7171->7178 7172 2f13bc0 7174 2f13be6 7172->7174 7176 2f1ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7172->7176 7173 2f13ac1 7173->7071 7173->7074 7175 2f1ec2e codecvt 4 API calls 7174->7175 7175->7173 7176->7172 7177 2f13b66 lstrlenA 7177->7173 7177->7178 7178->7172 7178->7173 7178->7177 7179->7089 7180->7086 7182 2f16eef AllocateAndInitializeSid 7181->7182 7188 2f16f55 wsprintfA 7181->7188 7183 2f16f44 7182->7183 7184 2f16f1c CheckTokenMembership 7182->7184 7183->7188 7189 2f16e36 GetUserNameW 7183->7189 7185 2f16f3b FreeSid 7184->7185 7186 2f16f2e 7184->7186 7185->7183 7186->7185 7188->7092 7190 2f16e5f LookupAccountNameW 7189->7190 7191 2f16e97 7189->7191 7190->7191 7191->7188 7193 2f12419 4 API calls 7192->7193 7194 2f124b6 7193->7194 7194->7107 7196 2f1dd79 lstrlenA 7195->7196 7196->6421 7198 2f1eb17 7197->7198 7199 2f1eb21 7197->7199 7200 2f1eae4 2 API calls 7198->7200 7199->6523 7200->7199 7203 2f169b9 WriteFile 7201->7203 7204 2f16a3c 7203->7204 7206 2f169ff 7203->7206 7204->6519 7204->6520 7205 2f16a10 WriteFile 7205->7204 7205->7206 7206->7204 7206->7205 7208 2f13edc 7207->7208 7210 2f13ee2 7207->7210 7209 2f16dc2 6 API calls 7208->7209 7209->7210 7210->6534 7212 2f1400b CreateFileA 7211->7212 7213 2f14052 7212->7213 7214 2f1402c GetLastError 7212->7214 7213->6537 7214->7213 7215 2f14037 7214->7215 7215->7213 7216 2f14041 Sleep 7215->7216 7216->7212 7216->7213 7218 2f13f7c 7217->7218 7219 2f13f4e GetLastError 7217->7219 7221 2f13f8c ReadFile 7218->7221 7219->7218 7220 2f13f5b WaitForSingleObject GetOverlappedResult 7219->7220 7220->7218 7222 2f13ff0 7221->7222 7223 2f13fc2 GetLastError 7221->7223 7222->6542 7222->6543 7223->7222 7224 2f13fcf WaitForSingleObject GetOverlappedResult 7223->7224 7224->7222 7226 2f11924 GetVersionExA 7225->7226 7226->6582 7228 2f1f0f1 7227->7228 7229 2f1f0ed 7227->7229 7230 2f1f119 7228->7230 7231 2f1f0fa lstrlenA SysAllocStringByteLen 7228->7231 7229->6614 7233 2f1f11c MultiByteToWideChar 7230->7233 7232 2f1f117 7231->7232 7231->7233 7232->6614 7233->7232 7235 2f11820 17 API calls 7234->7235 7236 2f118f2 7235->7236 7237 2f118f9 7236->7237 7251 2f11280 7236->7251 7237->6609 7239 2f11908 7239->6609 7263 2f11000 7240->7263 7242 2f11839 7243 2f11851 GetCurrentProcess 7242->7243 7244 2f1183d 7242->7244 7245 2f11864 7243->7245 7244->6598 7245->6598 7247 2f1920e 7246->7247 7250 2f19308 7246->7250 7248 2f192f1 Sleep 7247->7248 7249 2f192bf ShellExecuteA 7247->7249 7247->7250 7248->7247 7249->7247 7249->7250 7250->6609 7252 2f112e1 7251->7252 7253 2f116f9 GetLastError 7252->7253 7260 2f113a8 7252->7260 7254 2f11699 7253->7254 7254->7239 7255 2f11570 lstrlenW 7255->7260 7256 2f115be GetStartupInfoW 7256->7260 7257 2f115ff CreateProcessWithLogonW 7258 2f116bf GetLastError 7257->7258 7259 2f1163f WaitForSingleObject 7257->7259 7258->7254 7259->7260 7261 2f11659 CloseHandle 7259->7261 7260->7254 7260->7255 7260->7256 7260->7257 7262 2f11668 CloseHandle 7260->7262 7261->7260 7262->7260 7264 2f1100d LoadLibraryA 7263->7264 7272 2f11023 7263->7272 7265 2f11021 7264->7265 7264->7272 7265->7242 7266 2f110b5 GetProcAddress 7267 2f110d1 GetProcAddress 7266->7267 7268 2f1127b 7266->7268 7267->7268 7269 2f110f0 GetProcAddress 7267->7269 7268->7242 7269->7268 7270 2f11110 GetProcAddress 7269->7270 7270->7268 7271 2f11130 GetProcAddress 7270->7271 7271->7268 7273 2f1114f GetProcAddress 7271->7273 7272->7266 7283 2f110ae 7272->7283 7273->7268 7274 2f1116f GetProcAddress 7273->7274 7274->7268 7275 2f1118f GetProcAddress 7274->7275 7275->7268 7276 2f111ae GetProcAddress 7275->7276 7276->7268 7277 2f111ce GetProcAddress 7276->7277 7277->7268 7278 2f111ee GetProcAddress 7277->7278 7278->7268 7279 2f11209 GetProcAddress 7278->7279 7279->7268 7280 2f11225 GetProcAddress 7279->7280 7280->7268 7281 2f11241 GetProcAddress 7280->7281 7281->7268 7282 2f1125c GetProcAddress 7281->7282 7282->7268 7283->7242 7285 2f1908d 7284->7285 7286 2f190e2 wsprintfA 7285->7286 7287 2f1ee2a 7286->7287 7288 2f190fd CreateFileA 7287->7288 7289 2f1911a lstrlenA WriteFile CloseHandle 7288->7289 7290 2f1913f 7288->7290 7289->7290 7290->6637 7290->6638 7292 2f1ee2a 7291->7292 7293 2f19794 CreateProcessA 7292->7293 7294 2f197c2 7293->7294 7295 2f197bb 7293->7295 7296 2f197d4 GetThreadContext 7294->7296 7295->6649 7297 2f19801 7296->7297 7298 2f197f5 7296->7298 7305 2f1637c 7297->7305 7299 2f197f6 TerminateProcess 7298->7299 7299->7295 7301 2f19816 7301->7299 7302 2f1981e WriteProcessMemory 7301->7302 7302->7298 7303 2f1983b SetThreadContext 7302->7303 7303->7298 7304 2f19858 ResumeThread 7303->7304 7304->7295 7306 2f16386 7305->7306 7307 2f1638a GetModuleHandleA VirtualAlloc 7305->7307 7306->7301 7308 2f163b6 7307->7308 7309 2f163f5 7307->7309 7310 2f163be VirtualAllocEx 7308->7310 7309->7301 7310->7309 7311 2f163d6 7310->7311 7312 2f163df WriteProcessMemory 7311->7312 7312->7309 7314 2f18791 7313->7314 7315 2f1879f 7313->7315 7316 2f1f04e 4 API calls 7314->7316 7317 2f187bc 7315->7317 7318 2f1f04e 4 API calls 7315->7318 7316->7315 7319 2f1e819 11 API calls 7317->7319 7318->7317 7320 2f187d7 7319->7320 7333 2f18803 7320->7333 7468 2f126b2 gethostbyaddr 7320->7468 7323 2f187eb 7325 2f1e8a1 30 API calls 7323->7325 7323->7333 7325->7333 7328 2f1e819 11 API calls 7328->7333 7329 2f188a0 Sleep 7329->7333 7331 2f126b2 2 API calls 7331->7333 7332 2f1f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7332->7333 7333->7328 7333->7329 7333->7331 7333->7332 7334 2f1e8a1 30 API calls 7333->7334 7365 2f18cee 7333->7365 7373 2f1c4d6 7333->7373 7376 2f1c4e2 7333->7376 7379 2f12011 7333->7379 7414 2f18328 7333->7414 7334->7333 7336 2f14084 7335->7336 7337 2f1407d 7335->7337 7338 2f13ecd 6 API calls 7336->7338 7339 2f1408f 7338->7339 7340 2f14000 3 API calls 7339->7340 7341 2f14095 7340->7341 7342 2f14130 7341->7342 7343 2f140c0 7341->7343 7344 2f13ecd 6 API calls 7342->7344 7348 2f13f18 4 API calls 7343->7348 7345 2f14159 CreateNamedPipeA 7344->7345 7346 2f14167 Sleep 7345->7346 7347 2f14188 ConnectNamedPipe 7345->7347 7346->7342 7350 2f14176 CloseHandle 7346->7350 7349 2f14195 GetLastError 7347->7349 7361 2f141ab 7347->7361 7351 2f140da 7348->7351 7352 2f1425e DisconnectNamedPipe 7349->7352 7349->7361 7350->7347 7353 2f13f8c 4 API calls 7351->7353 7352->7347 7354 2f140ec 7353->7354 7355 2f14127 CloseHandle 7354->7355 7356 2f14101 7354->7356 7355->7342 7358 2f13f18 4 API calls 7356->7358 7357 2f13f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7357->7361 7359 2f1411c ExitProcess 7358->7359 7360 2f13f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7360->7361 7361->7347 7361->7352 7361->7357 7361->7360 7362 2f1426a CloseHandle CloseHandle 7361->7362 7363 2f1e318 23 API calls 7362->7363 7364 2f1427b 7363->7364 7364->7364 7366 2f18d02 GetTickCount 7365->7366 7367 2f18dae 7365->7367 7366->7367 7369 2f18d19 7366->7369 7367->7333 7368 2f18da1 GetTickCount 7368->7367 7369->7368 7372 2f18d89 7369->7372 7473 2f1a677 7369->7473 7476 2f1a688 7369->7476 7372->7368 7484 2f1c2dc 7373->7484 7377 2f1c2dc 142 API calls 7376->7377 7378 2f1c4ec 7377->7378 7378->7333 7380 2f12020 7379->7380 7381 2f1202e 7379->7381 7382 2f1f04e 4 API calls 7380->7382 7383 2f1204b 7381->7383 7384 2f1f04e 4 API calls 7381->7384 7382->7381 7385 2f1206e GetTickCount 7383->7385 7386 2f1f04e 4 API calls 7383->7386 7384->7383 7387 2f120db GetTickCount 7385->7387 7395 2f12090 7385->7395 7389 2f12068 7386->7389 7388 2f12132 GetTickCount GetTickCount 7387->7388 7400 2f120e7 7387->7400 7391 2f1f04e 4 API calls 7388->7391 7389->7385 7390 2f120d4 GetTickCount 7390->7387 7393 2f12159 7391->7393 7392 2f1212b GetTickCount 7392->7388 7396 2f121b4 7393->7396 7399 2f1e854 13 API calls 7393->7399 7394 2f12684 2 API calls 7394->7395 7395->7390 7395->7394 7403 2f120ce 7395->7403 7824 2f11978 7395->7824 7398 2f1f04e 4 API calls 7396->7398 7402 2f121d1 7398->7402 7404 2f1218e 7399->7404 7400->7392 7405 2f12125 7400->7405 7408 2f11978 15 API calls 7400->7408 7814 2f12ef8 7400->7814 7406 2f121f2 7402->7406 7409 2f1ea84 30 API calls 7402->7409 7403->7390 7407 2f1e819 11 API calls 7404->7407 7405->7392 7406->7333 7410 2f1219c 7407->7410 7408->7400 7411 2f121ec 7409->7411 7410->7396 7829 2f11c5f 7410->7829 7412 2f1f04e 4 API calls 7411->7412 7412->7406 7415 2f17dd6 6 API calls 7414->7415 7416 2f1833c 7415->7416 7417 2f16ec3 2 API calls 7416->7417 7446 2f18340 7416->7446 7418 2f1834f 7417->7418 7419 2f1835c 7418->7419 7424 2f1846b 7418->7424 7420 2f173ff 17 API calls 7419->7420 7438 2f18373 7420->7438 7421 2f185df 7422 2f18626 GetTempPathA 7421->7422 7434 2f18768 7421->7434 7457 2f18671 7421->7457 7435 2f18638 7422->7435 7423 2f1675c 21 API calls 7423->7421 7426 2f184a7 RegOpenKeyExA 7424->7426 7448 2f18450 7424->7448 7428 2f184c0 RegQueryValueExA 7426->7428 7429 2f1852f 7426->7429 7427 2f186ad 7430 2f18762 7427->7430 7433 2f17e2f 6 API calls 7427->7433 7431 2f18521 RegCloseKey 7428->7431 7432 2f184dd 7428->7432 7436 2f18564 RegOpenKeyExA 7429->7436 7440 2f185a5 7429->7440 7430->7434 7431->7429 7432->7431 7441 2f1ebcc 4 API calls 7432->7441 7437 2f186bb 7433->7437 7443 2f1ec2e codecvt 4 API calls 7434->7443 7434->7446 7435->7457 7439 2f18573 RegSetValueExA RegCloseKey 7436->7439 7436->7440 7442 2f1875b DeleteFileA 7437->7442 7456 2f186e0 lstrcpyA lstrlenA 7437->7456 7438->7446 7438->7448 7449 2f183ea RegOpenKeyExA 7438->7449 7439->7440 7440->7448 7451 2f1ec2e codecvt 4 API calls 7440->7451 7445 2f184f0 7441->7445 7442->7430 7443->7446 7445->7431 7447 2f184f8 RegQueryValueExA 7445->7447 7446->7333 7447->7431 7450 2f18515 7447->7450 7448->7421 7448->7423 7449->7448 7452 2f183fd RegQueryValueExA 7449->7452 7455 2f1ec2e codecvt 4 API calls 7450->7455 7451->7448 7453 2f1842d RegSetValueExA 7452->7453 7454 2f1841e 7452->7454 7458 2f18447 RegCloseKey 7453->7458 7454->7453 7454->7458 7459 2f1851d 7455->7459 7460 2f17fcf 64 API calls 7456->7460 7901 2f16ba7 IsBadCodePtr 7457->7901 7458->7448 7459->7431 7461 2f18719 CreateProcessA 7460->7461 7462 2f1873d CloseHandle CloseHandle 7461->7462 7463 2f1874f 7461->7463 7462->7434 7464 2f17ee6 64 API calls 7463->7464 7465 2f18754 7464->7465 7466 2f17ead 6 API calls 7465->7466 7467 2f1875a 7466->7467 7467->7442 7469 2f126fb 7468->7469 7470 2f126cd 7468->7470 7469->7323 7471 2f126e1 inet_ntoa 7470->7471 7472 2f126de 7470->7472 7471->7472 7472->7323 7479 2f1a63d 7473->7479 7475 2f1a685 7475->7369 7477 2f1a63d GetTickCount 7476->7477 7478 2f1a696 7477->7478 7478->7369 7480 2f1a645 7479->7480 7481 2f1a64d 7479->7481 7480->7475 7482 2f1a66e 7481->7482 7483 2f1a65e GetTickCount 7481->7483 7482->7475 7483->7482 7501 2f1a4c7 GetTickCount 7484->7501 7487 2f1c47a 7492 2f1c4d2 7487->7492 7493 2f1c4ab InterlockedIncrement CreateThread 7487->7493 7488 2f1c300 GetTickCount 7490 2f1c337 7488->7490 7489 2f1c326 7489->7490 7491 2f1c32b GetTickCount 7489->7491 7490->7487 7495 2f1c363 GetTickCount 7490->7495 7491->7490 7492->7333 7493->7492 7494 2f1c4cb CloseHandle 7493->7494 7506 2f1b535 7493->7506 7494->7492 7495->7487 7496 2f1c373 7495->7496 7497 2f1c378 GetTickCount 7496->7497 7498 2f1c37f 7496->7498 7497->7498 7499 2f1c43b GetTickCount 7498->7499 7500 2f1c45e 7499->7500 7500->7487 7502 2f1a4f7 InterlockedExchange 7501->7502 7503 2f1a500 7502->7503 7504 2f1a4e4 GetTickCount 7502->7504 7503->7487 7503->7488 7503->7489 7504->7503 7505 2f1a4ef Sleep 7504->7505 7505->7502 7507 2f1b566 7506->7507 7508 2f1ebcc 4 API calls 7507->7508 7509 2f1b587 7508->7509 7510 2f1ebcc 4 API calls 7509->7510 7560 2f1b590 7510->7560 7511 2f1bdcd InterlockedDecrement 7512 2f1bde2 7511->7512 7514 2f1ec2e codecvt 4 API calls 7512->7514 7515 2f1bdea 7514->7515 7517 2f1ec2e codecvt 4 API calls 7515->7517 7516 2f1bdb7 Sleep 7516->7560 7518 2f1bdf2 7517->7518 7520 2f1be05 7518->7520 7521 2f1ec2e codecvt 4 API calls 7518->7521 7519 2f1bdcc 7519->7511 7521->7520 7522 2f1ebed 8 API calls 7522->7560 7525 2f1b6b6 lstrlenA 7525->7560 7526 2f130b5 2 API calls 7526->7560 7527 2f1e819 11 API calls 7527->7560 7528 2f1b6ed lstrcpyA 7581 2f15ce1 7528->7581 7531 2f1b731 lstrlenA 7531->7560 7532 2f1b71f lstrcmpA 7532->7531 7532->7560 7533 2f1b772 GetTickCount 7533->7560 7534 2f1bd49 InterlockedIncrement 7675 2f1a628 7534->7675 7537 2f1b7ce InterlockedIncrement 7591 2f1acd7 7537->7591 7538 2f1bc5b InterlockedIncrement 7538->7560 7541 2f1b912 GetTickCount 7541->7560 7542 2f1b932 GetTickCount 7545 2f1bc6d InterlockedIncrement 7542->7545 7542->7560 7543 2f1bcdc closesocket 7543->7560 7544 2f1b826 InterlockedIncrement 7544->7533 7545->7560 7546 2f15ce1 22 API calls 7546->7560 7547 2f138f0 6 API calls 7547->7560 7550 2f1bba6 InterlockedIncrement 7550->7560 7552 2f1bc4c closesocket 7552->7560 7555 2f1ba71 wsprintfA 7609 2f1a7c1 7555->7609 7557 2f1a7c1 22 API calls 7557->7560 7558 2f1ab81 lstrcpynA InterlockedIncrement 7558->7560 7559 2f1ef1e lstrlenA 7559->7560 7560->7511 7560->7516 7560->7519 7560->7522 7560->7525 7560->7526 7560->7527 7560->7528 7560->7531 7560->7532 7560->7533 7560->7534 7560->7537 7560->7538 7560->7541 7560->7542 7560->7543 7560->7544 7560->7546 7560->7547 7560->7550 7560->7552 7560->7555 7560->7557 7560->7558 7560->7559 7561 2f15ded 12 API calls 7560->7561 7562 2f1a688 GetTickCount 7560->7562 7563 2f13e10 7560->7563 7566 2f13e4f 7560->7566 7569 2f1384f 7560->7569 7589 2f1a7a3 inet_ntoa 7560->7589 7596 2f1abee 7560->7596 7608 2f11feb GetTickCount 7560->7608 7629 2f13cfb 7560->7629 7632 2f1b3c5 7560->7632 7663 2f1ab81 7560->7663 7561->7560 7562->7560 7564 2f130fa 4 API calls 7563->7564 7565 2f13e1d 7564->7565 7565->7560 7567 2f130fa 4 API calls 7566->7567 7568 2f13e5c 7567->7568 7568->7560 7570 2f130fa 4 API calls 7569->7570 7572 2f13863 7570->7572 7571 2f138b2 7571->7560 7572->7571 7573 2f138b9 7572->7573 7574 2f13889 7572->7574 7684 2f135f9 7573->7684 7678 2f13718 7574->7678 7579 2f135f9 6 API calls 7579->7571 7580 2f13718 6 API calls 7580->7571 7582 2f15cf4 7581->7582 7583 2f15cec 7581->7583 7585 2f14bd1 4 API calls 7582->7585 7690 2f14bd1 GetTickCount 7583->7690 7586 2f15d02 7585->7586 7695 2f15472 7586->7695 7590 2f1a7b9 7589->7590 7590->7560 7592 2f1f315 14 API calls 7591->7592 7593 2f1aceb 7592->7593 7594 2f1acff 7593->7594 7595 2f1f315 14 API calls 7593->7595 7594->7560 7595->7594 7597 2f1abfb 7596->7597 7600 2f1ac65 7597->7600 7758 2f12f22 7597->7758 7599 2f1f315 14 API calls 7599->7600 7600->7599 7601 2f1ac6f 7600->7601 7602 2f1ac8a 7600->7602 7603 2f1ab81 2 API calls 7601->7603 7602->7560 7605 2f1ac81 7603->7605 7604 2f12684 2 API calls 7606 2f1ac23 7604->7606 7766 2f138f0 7605->7766 7606->7600 7606->7604 7608->7560 7610 2f1a87d lstrlenA send 7609->7610 7611 2f1a7df 7609->7611 7613 2f1a899 7610->7613 7614 2f1a8bf 7610->7614 7611->7610 7612 2f1a8f2 7611->7612 7617 2f1a80a 7611->7617 7620 2f1a7fa wsprintfA 7611->7620 7616 2f1a978 recv 7612->7616 7621 2f1a9b0 wsprintfA 7612->7621 7622 2f1a982 7612->7622 7618 2f1a8a5 wsprintfA 7613->7618 7628 2f1a89e 7613->7628 7614->7612 7615 2f1a8c4 send 7614->7615 7615->7612 7619 2f1a8d8 wsprintfA 7615->7619 7616->7612 7616->7622 7617->7610 7618->7628 7619->7628 7620->7617 7621->7628 7623 2f130b5 2 API calls 7622->7623 7622->7628 7624 2f1ab05 7623->7624 7625 2f1e819 11 API calls 7624->7625 7626 2f1ab17 7625->7626 7627 2f1a7a3 inet_ntoa 7626->7627 7627->7628 7628->7560 7630 2f130fa 4 API calls 7629->7630 7631 2f13d0b 7630->7631 7631->7560 7633 2f15ce1 22 API calls 7632->7633 7634 2f1b3e6 7633->7634 7635 2f15ce1 22 API calls 7634->7635 7637 2f1b404 7635->7637 7636 2f1b440 7639 2f1ef7c 3 API calls 7636->7639 7637->7636 7638 2f1ef7c 3 API calls 7637->7638 7640 2f1b42b 7638->7640 7641 2f1b458 wsprintfA 7639->7641 7642 2f1ef7c 3 API calls 7640->7642 7643 2f1ef7c 3 API calls 7641->7643 7642->7636 7644 2f1b480 7643->7644 7645 2f1ef7c 3 API calls 7644->7645 7646 2f1b493 7645->7646 7647 2f1ef7c 3 API calls 7646->7647 7648 2f1b4bb 7647->7648 7782 2f1ad89 GetLocalTime SystemTimeToFileTime 7648->7782 7652 2f1b4cc 7653 2f1ef7c 3 API calls 7652->7653 7654 2f1b4dd 7653->7654 7655 2f1b211 7 API calls 7654->7655 7656 2f1b4ec 7655->7656 7657 2f1ef7c 3 API calls 7656->7657 7658 2f1b4fd 7657->7658 7659 2f1b211 7 API calls 7658->7659 7660 2f1b509 7659->7660 7661 2f1ef7c 3 API calls 7660->7661 7662 2f1b51a 7661->7662 7662->7560 7664 2f1abe9 GetTickCount 7663->7664 7666 2f1ab8c 7663->7666 7668 2f1a51d 7664->7668 7665 2f1aba8 lstrcpynA 7665->7666 7666->7664 7666->7665 7667 2f1abe1 InterlockedIncrement 7666->7667 7667->7666 7669 2f1a4c7 4 API calls 7668->7669 7670 2f1a52c 7669->7670 7671 2f1a542 GetTickCount 7670->7671 7673 2f1a539 GetTickCount 7670->7673 7671->7673 7674 2f1a56c 7673->7674 7674->7560 7676 2f1a4c7 4 API calls 7675->7676 7677 2f1a633 7676->7677 7677->7560 7679 2f1f04e 4 API calls 7678->7679 7681 2f1372a 7679->7681 7680 2f13847 7680->7571 7680->7580 7681->7680 7682 2f137b3 GetCurrentThreadId 7681->7682 7682->7681 7683 2f137c8 GetCurrentThreadId 7682->7683 7683->7681 7685 2f1f04e 4 API calls 7684->7685 7689 2f1360c 7685->7689 7686 2f136f1 7686->7571 7686->7579 7687 2f136da GetCurrentThreadId 7687->7686 7688 2f136e5 GetCurrentThreadId 7687->7688 7688->7686 7689->7686 7689->7687 7691 2f14bff InterlockedExchange 7690->7691 7692 2f14c08 7691->7692 7693 2f14bec GetTickCount 7691->7693 7692->7582 7693->7692 7694 2f14bf7 Sleep 7693->7694 7694->7691 7714 2f14763 7695->7714 7697 2f15b58 7724 2f14699 7697->7724 7700 2f14763 lstrlenA 7701 2f15b6e 7700->7701 7745 2f14f9f 7701->7745 7703 2f15b79 7703->7560 7705 2f15549 lstrlenA 7710 2f1548a 7705->7710 7707 2f1558d lstrcpynA 7707->7710 7708 2f15a9f lstrcpyA 7708->7710 7709 2f15935 lstrcpynA 7709->7710 7710->7697 7710->7707 7710->7708 7710->7709 7711 2f15472 13 API calls 7710->7711 7712 2f158e7 lstrcpyA 7710->7712 7713 2f14ae6 8 API calls 7710->7713 7718 2f14ae6 7710->7718 7722 2f1ef7c lstrlenA lstrlenA lstrlenA 7710->7722 7711->7710 7712->7710 7713->7710 7716 2f1477a 7714->7716 7715 2f14859 7715->7710 7716->7715 7717 2f1480d lstrlenA 7716->7717 7717->7716 7719 2f14af3 7718->7719 7721 2f14b03 7718->7721 7720 2f1ebed 8 API calls 7719->7720 7720->7721 7721->7705 7723 2f1efb4 7722->7723 7723->7710 7750 2f145b3 7724->7750 7727 2f145b3 7 API calls 7728 2f146c6 7727->7728 7729 2f145b3 7 API calls 7728->7729 7730 2f146d8 7729->7730 7731 2f145b3 7 API calls 7730->7731 7732 2f146ea 7731->7732 7733 2f145b3 7 API calls 7732->7733 7734 2f146ff 7733->7734 7735 2f145b3 7 API calls 7734->7735 7736 2f14711 7735->7736 7737 2f145b3 7 API calls 7736->7737 7738 2f14723 7737->7738 7739 2f1ef7c 3 API calls 7738->7739 7740 2f14735 7739->7740 7741 2f1ef7c 3 API calls 7740->7741 7742 2f1474a 7741->7742 7743 2f1ef7c 3 API calls 7742->7743 7744 2f1475c 7743->7744 7744->7700 7746 2f14fac 7745->7746 7748 2f14fb0 7745->7748 7746->7703 7747 2f14ffd 7747->7703 7748->7747 7749 2f14fd5 IsBadCodePtr 7748->7749 7749->7748 7751 2f145c1 7750->7751 7753 2f145c8 7750->7753 7752 2f1ebcc 4 API calls 7751->7752 7752->7753 7754 2f1ebcc 4 API calls 7753->7754 7756 2f145e1 7753->7756 7754->7756 7755 2f14691 7755->7727 7756->7755 7757 2f1ef7c 3 API calls 7756->7757 7757->7756 7773 2f12d21 GetModuleHandleA 7758->7773 7761 2f12fcf GetProcessHeap HeapFree 7765 2f12f44 7761->7765 7762 2f12f4f 7764 2f12f6b GetProcessHeap HeapFree 7762->7764 7763 2f12f85 7763->7761 7763->7763 7764->7765 7765->7606 7767 2f13900 7766->7767 7768 2f13980 7766->7768 7769 2f130fa 4 API calls 7767->7769 7768->7602 7772 2f1390a 7769->7772 7770 2f1391b GetCurrentThreadId 7770->7772 7771 2f13939 GetCurrentThreadId 7771->7772 7772->7768 7772->7770 7772->7771 7774 2f12d46 LoadLibraryA 7773->7774 7775 2f12d5b GetProcAddress 7773->7775 7774->7775 7779 2f12d54 7774->7779 7776 2f12d6b DnsQuery_A 7775->7776 7775->7779 7777 2f12d7d 7776->7777 7776->7779 7778 2f12d97 GetProcessHeap HeapAlloc 7777->7778 7777->7779 7778->7779 7780 2f12dac 7778->7780 7779->7762 7779->7763 7779->7765 7780->7777 7781 2f12db5 lstrcpynA 7780->7781 7781->7780 7783 2f1adbf 7782->7783 7807 2f1ad08 gethostname 7783->7807 7786 2f130b5 2 API calls 7787 2f1add3 7786->7787 7788 2f1a7a3 inet_ntoa 7787->7788 7795 2f1ade4 7787->7795 7788->7795 7789 2f1ae85 wsprintfA 7790 2f1ef7c 3 API calls 7789->7790 7792 2f1aebb 7790->7792 7791 2f1ae36 wsprintfA wsprintfA 7793 2f1ef7c 3 API calls 7791->7793 7794 2f1ef7c 3 API calls 7792->7794 7793->7795 7796 2f1aed2 7794->7796 7795->7789 7795->7791 7797 2f1b211 7796->7797 7798 2f1b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7797->7798 7799 2f1b2af GetLocalTime 7797->7799 7800 2f1b2d2 7798->7800 7799->7800 7801 2f1b2d9 SystemTimeToFileTime 7800->7801 7802 2f1b31c GetTimeZoneInformation 7800->7802 7803 2f1b2ec 7801->7803 7804 2f1b33a wsprintfA 7802->7804 7805 2f1b312 FileTimeToSystemTime 7803->7805 7804->7652 7805->7802 7808 2f1ad71 7807->7808 7813 2f1ad26 lstrlenA 7807->7813 7810 2f1ad85 7808->7810 7811 2f1ad79 lstrcpyA 7808->7811 7810->7786 7811->7810 7812 2f1ad68 lstrlenA 7812->7808 7813->7808 7813->7812 7815 2f12d21 7 API calls 7814->7815 7816 2f12f01 7815->7816 7817 2f12f14 7816->7817 7818 2f12f06 7816->7818 7819 2f12684 2 API calls 7817->7819 7837 2f12df2 GetModuleHandleA 7818->7837 7821 2f12f1d 7819->7821 7821->7400 7823 2f12f1f 7823->7400 7825 2f1f428 14 API calls 7824->7825 7826 2f1198a 7825->7826 7827 2f11990 closesocket 7826->7827 7828 2f11998 7826->7828 7827->7828 7828->7395 7830 2f11c80 7829->7830 7831 2f11cc2 wsprintfA 7830->7831 7833 2f11d1c 7830->7833 7835 2f11d79 7830->7835 7832 2f12684 2 API calls 7831->7832 7832->7830 7834 2f11d47 wsprintfA 7833->7834 7836 2f12684 2 API calls 7834->7836 7835->7396 7836->7835 7838 2f12e10 LoadLibraryA 7837->7838 7839 2f12e0b 7837->7839 7840 2f12e17 7838->7840 7839->7838 7839->7840 7841 2f12ef1 7840->7841 7842 2f12e28 GetProcAddress 7840->7842 7841->7817 7841->7823 7842->7841 7843 2f12e3e GetProcessHeap HeapAlloc 7842->7843 7844 2f12e62 7843->7844 7844->7841 7845 2f12ede GetProcessHeap HeapFree 7844->7845 7846 2f12e7f htons inet_addr 7844->7846 7847 2f12ea5 gethostbyname 7844->7847 7849 2f12ceb 7844->7849 7845->7841 7846->7844 7846->7847 7847->7844 7850 2f12cf2 7849->7850 7852 2f12d1c 7850->7852 7853 2f12d0e Sleep 7850->7853 7854 2f12a62 GetProcessHeap HeapAlloc 7850->7854 7852->7844 7853->7850 7853->7852 7855 2f12a92 7854->7855 7856 2f12a99 socket 7854->7856 7855->7850 7857 2f12cd3 GetProcessHeap HeapFree 7856->7857 7858 2f12ab4 7856->7858 7857->7855 7858->7857 7872 2f12abd 7858->7872 7859 2f12adb htons 7874 2f126ff 7859->7874 7861 2f12b04 select 7861->7872 7862 2f12cb3 GetProcessHeap HeapFree closesocket 7862->7855 7863 2f12b3f recv 7863->7872 7864 2f12b66 htons 7865 2f12ca4 7864->7865 7864->7872 7865->7862 7866 2f12b87 htons 7866->7865 7866->7872 7869 2f12bf3 GetProcessHeap HeapAlloc 7869->7872 7870 2f12c17 htons 7889 2f12871 7870->7889 7872->7859 7872->7861 7872->7862 7872->7863 7872->7864 7872->7865 7872->7866 7872->7869 7872->7870 7873 2f12c4d GetProcessHeap HeapFree 7872->7873 7881 2f12923 7872->7881 7893 2f12904 7872->7893 7873->7872 7875 2f1271d 7874->7875 7876 2f12717 7874->7876 7878 2f1272b GetTickCount htons 7875->7878 7877 2f1ebcc 4 API calls 7876->7877 7877->7875 7879 2f127cc htons htons sendto 7878->7879 7880 2f1278a 7878->7880 7879->7872 7880->7879 7882 2f12944 7881->7882 7884 2f1293d 7881->7884 7897 2f12816 htons 7882->7897 7884->7872 7885 2f12871 htons 7888 2f12950 7885->7888 7886 2f129bd htons htons htons 7886->7884 7887 2f129f6 GetProcessHeap HeapAlloc 7886->7887 7887->7884 7887->7888 7888->7884 7888->7885 7888->7886 7890 2f128e3 7889->7890 7891 2f12889 7889->7891 7890->7872 7891->7890 7891->7891 7892 2f128c3 htons 7891->7892 7892->7890 7892->7891 7894 2f12921 7893->7894 7895 2f12908 7893->7895 7894->7872 7896 2f12909 GetProcessHeap HeapFree 7895->7896 7896->7894 7896->7896 7898 2f1286b 7897->7898 7899 2f12836 7897->7899 7898->7888 7899->7898 7900 2f1285c htons 7899->7900 7900->7898 7900->7899 7902 2f16bc0 7901->7902 7903 2f16bbc 7901->7903 7904 2f16bd4 7902->7904 7905 2f1ebcc 4 API calls 7902->7905 7903->7427 7904->7427 7906 2f16be4 7905->7906 7906->7904 7907 2f16c07 CreateFileA 7906->7907 7908 2f16bfc 7906->7908 7910 2f16c34 WriteFile 7907->7910 7911 2f16c2a 7907->7911 7909 2f1ec2e codecvt 4 API calls 7908->7909 7909->7904 7912 2f16c49 CloseHandle DeleteFileA 7910->7912 7913 2f16c5a CloseHandle 7910->7913 7914 2f1ec2e codecvt 4 API calls 7911->7914 7912->7911 7915 2f1ec2e codecvt 4 API calls 7913->7915 7914->7904 7915->7904 7954 2f18c51 7955 2f18c86 7954->7955 7956 2f18c5d 7954->7956 7957 2f18c8b lstrcmpA 7955->7957 7967 2f18c7b 7955->7967 7959 2f18c7d 7956->7959 7960 2f18c6e 7956->7960 7958 2f18c9e 7957->7958 7957->7967 7961 2f18cad 7958->7961 7964 2f1ec2e codecvt 4 API calls 7958->7964 7976 2f18bb3 7959->7976 7968 2f18be7 7960->7968 7966 2f1ebcc 4 API calls 7961->7966 7961->7967 7964->7961 7966->7967 7969 2f18bf2 7968->7969 7970 2f18c2a 7968->7970 7971 2f18bb3 6 API calls 7969->7971 7970->7967 7972 2f18bf8 7971->7972 7980 2f16410 7972->7980 7974 2f18c01 7974->7970 7995 2f16246 7974->7995 7977 2f18be4 7976->7977 7978 2f18bbc 7976->7978 7978->7977 7979 2f16246 6 API calls 7978->7979 7979->7977 7981 2f16421 7980->7981 7982 2f1641e 7980->7982 7983 2f1643a 7981->7983 7984 2f1643e VirtualAlloc 7981->7984 7982->7974 7983->7974 7985 2f16472 7984->7985 7986 2f1645b VirtualAlloc 7984->7986 7987 2f1ebcc 4 API calls 7985->7987 7986->7985 7994 2f164fb 7986->7994 7988 2f16479 7987->7988 7988->7994 8005 2f16069 7988->8005 7991 2f164da 7993 2f16246 6 API calls 7991->7993 7991->7994 7993->7994 7994->7974 7996 2f16252 7995->7996 8004 2f162b3 7995->8004 7999 2f1628f 7996->7999 8002 2f16281 FreeLibrary 7996->8002 8003 2f16297 7996->8003 7997 2f162a0 VirtualFree 7998 2f162ad 7997->7998 8001 2f1ec2e codecvt 4 API calls 7998->8001 8000 2f1ec2e codecvt 4 API calls 7999->8000 8000->8003 8001->8004 8002->7996 8003->7997 8003->7998 8004->7970 8006 2f16090 IsBadReadPtr 8005->8006 8007 2f16089 8005->8007 8006->8007 8012 2f160aa 8006->8012 8007->7991 8015 2f15f3f 8007->8015 8008 2f160c0 LoadLibraryA 8008->8007 8008->8012 8009 2f1ebed 8 API calls 8009->8012 8010 2f1ebcc 4 API calls 8010->8012 8011 2f16191 IsBadReadPtr 8011->8007 8011->8012 8012->8007 8012->8008 8012->8009 8012->8010 8012->8011 8013 2f16141 GetProcAddress 8012->8013 8014 2f16155 GetProcAddress 8012->8014 8013->8012 8014->8012 8016 2f15fe6 8015->8016 8018 2f15f61 8015->8018 8016->7991 8017 2f15fbf VirtualProtect 8017->8016 8017->8018 8018->8016 8018->8017 8172 2f16511 wsprintfA IsBadReadPtr 8173 2f1656a htonl htonl wsprintfA wsprintfA 8172->8173 8174 2f1674e 8172->8174 8179 2f165f3 8173->8179 8175 2f1e318 23 API calls 8174->8175 8176 2f16753 ExitProcess 8175->8176 8177 2f1668a GetCurrentProcess StackWalk64 8178 2f166a0 wsprintfA 8177->8178 8177->8179 8181 2f166ba 8178->8181 8179->8177 8179->8178 8180 2f16652 wsprintfA 8179->8180 8180->8179 8182 2f16712 wsprintfA 8181->8182 8183 2f166da wsprintfA 8181->8183 8184 2f166ed wsprintfA 8181->8184 8185 2f1e8a1 30 API calls 8182->8185 8183->8184 8184->8181 8186 2f16739 8185->8186 8187 2f1e318 23 API calls 8186->8187 8188 2f16741 8187->8188 8019 2f14ed3 8024 2f14c9a 8019->8024 8025 2f14ca9 8024->8025 8027 2f14cd8 8024->8027 8026 2f1ec2e codecvt 4 API calls 8025->8026 8026->8027 8028 2f15453 8033 2f1543a 8028->8033 8036 2f15048 8033->8036 8037 2f14bd1 4 API calls 8036->8037 8040 2f15056 8037->8040 8038 2f1508b 8039 2f1ec2e codecvt 4 API calls 8039->8038 8040->8038 8040->8039 8189 2f15d93 IsBadWritePtr 8190 2f15da8 8189->8190 8192 2f15ddc 8189->8192 8191 2f15389 12 API calls 8190->8191 8190->8192 8191->8192 8041 2f143d2 8042 2f143e0 8041->8042 8043 2f143ef 8042->8043 8044 2f11940 4 API calls 8042->8044 8044->8043 8193 2f14e92 GetTickCount 8194 2f14ec0 InterlockedExchange 8193->8194 8195 2f14ec9 8194->8195 8196 2f14ead GetTickCount 8194->8196 8196->8195 8197 2f14eb8 Sleep 8196->8197 8197->8194 8198 2f18314 8199 2f1675c 21 API calls 8198->8199 8200 2f18324 8199->8200 8201 2f15099 8202 2f14bd1 4 API calls 8201->8202 8203 2f150a2 8202->8203 8045 2f1195b 8046 2f1196b 8045->8046 8048 2f11971 8045->8048 8047 2f1ec2e codecvt 4 API calls 8046->8047 8047->8048 8204 2f1f483 WSAStartup 8205 2f15c05 IsBadWritePtr 8206 2f15c24 IsBadWritePtr 8205->8206 8213 2f15ca6 8205->8213 8207 2f15c32 8206->8207 8206->8213 8208 2f15c82 8207->8208 8209 2f14bd1 4 API calls 8207->8209 8210 2f14bd1 4 API calls 8208->8210 8209->8208 8211 2f15c90 8210->8211 8212 2f15472 18 API calls 8211->8212 8212->8213 8214 2f15b84 IsBadWritePtr 8215 2f15b99 8214->8215 8216 2f15b9d 8214->8216 8217 2f14bd1 4 API calls 8216->8217 8218 2f15bcc 8217->8218 8219 2f15472 18 API calls 8218->8219 8220 2f15be5 8219->8220 8221 2f1f304 8224 2f1f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8221->8224 8223 2f1f312 8224->8223 8049 2f1e749 8050 2f1dd05 6 API calls 8049->8050 8051 2f1e751 8050->8051 8052 2f1e781 lstrcmpA 8051->8052 8053 2f1e799 8051->8053 8052->8051 8058 2f15e4d 8059 2f15048 8 API calls 8058->8059 8060 2f15e55 8059->8060 8061 2f15e64 8060->8061 8062 2f11940 4 API calls 8060->8062 8062->8061 8238 2f15e0d 8239 2f150dc 17 API calls 8238->8239 8240 2f15e20 8239->8240 8241 2f14c0d 8242 2f14ae6 8 API calls 8241->8242 8243 2f14c17 8242->8243
                                                                    APIs
                                                                    • closesocket.WS2_32(?), ref: 02F1CA4E
                                                                    • closesocket.WS2_32(?), ref: 02F1CB63
                                                                    • GetTempPathA.KERNEL32(00000120,?), ref: 02F1CC28
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02F1CCB4
                                                                    • WriteFile.KERNEL32(02F1A4B3,?,-000000E8,?,00000000), ref: 02F1CCDC
                                                                    • CloseHandle.KERNEL32(02F1A4B3), ref: 02F1CCED
                                                                    • wsprintfA.USER32 ref: 02F1CD21
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02F1CD77
                                                                    • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02F1CD89
                                                                    • CloseHandle.KERNEL32(?), ref: 02F1CD98
                                                                    • CloseHandle.KERNEL32(?), ref: 02F1CD9D
                                                                    • DeleteFileA.KERNEL32(?), ref: 02F1CDC4
                                                                    • CloseHandle.KERNEL32(02F1A4B3), ref: 02F1CDCC
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02F1CFB1
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02F1CFEF
                                                                    • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02F1D033
                                                                    • lstrcatA.KERNEL32(?,04700108), ref: 02F1D10C
                                                                    • SetFileAttributesA.KERNEL32(?,00000080), ref: 02F1D155
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02F1D171
                                                                    • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000), ref: 02F1D195
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02F1D19C
                                                                    • SetFileAttributesA.KERNEL32(?,00000002), ref: 02F1D1C8
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02F1D231
                                                                    • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 02F1D27C
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02F1D2AB
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02F1D2C7
                                                                    • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02F1D2EB
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02F1D2F2
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02F1D326
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02F1D372
                                                                    • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 02F1D3BD
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02F1D3EC
                                                                    • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02F1D408
                                                                    • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02F1D428
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02F1D42F
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02F1D45B
                                                                    • CreateProcessA.KERNEL32(?,02F20264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02F1D4DE
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02F1D4F4
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02F1D4FC
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02F1D513
                                                                    • closesocket.WS2_32(?), ref: 02F1D56C
                                                                    • Sleep.KERNEL32(000003E8), ref: 02F1D577
                                                                    • ExitProcess.KERNEL32 ref: 02F1D583
                                                                    • wsprintfA.USER32 ref: 02F1D81F
                                                                      • Part of subcall function 02F1C65C: send.WS2_32(00000000,?,00000000), ref: 02F1C74B
                                                                    • closesocket.WS2_32(?), ref: 02F1DAD5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                    • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\soirllif\rdliobhf.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                    • API String ID: 562065436-430369839
                                                                    • Opcode ID: 18a386242b3ac90742515fc241293fc6bd02301dee466eabe83a0a9e1ea45731
                                                                    • Instruction ID: f54f20524dbd457271158083a32169bc620463433e97a61d8d4f9457c3649299
                                                                    • Opcode Fuzzy Hash: 18a386242b3ac90742515fc241293fc6bd02301dee466eabe83a0a9e1ea45731
                                                                    • Instruction Fuzzy Hash: 35B2C6B2D80219AFFB20DBA4DC45FEABBBDEB053C4F85045AEB05A6180D7309959CF51
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 02F19A7F
                                                                    • SetErrorMode.KERNELBASE(00000003), ref: 02F19A83
                                                                    • SetUnhandledExceptionFilter.KERNEL32(02F16511), ref: 02F19A8A
                                                                      • Part of subcall function 02F1EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02F1EC5E
                                                                      • Part of subcall function 02F1EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02F1EC72
                                                                      • Part of subcall function 02F1EC54: GetTickCount.KERNEL32 ref: 02F1EC78
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02F19AB3
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 02F19ABA
                                                                    • GetCommandLineA.KERNEL32 ref: 02F19AFD
                                                                    • lstrlenA.KERNEL32(?), ref: 02F19B99
                                                                    • ExitProcess.KERNEL32 ref: 02F19C06
                                                                    • GetTempPathA.KERNEL32(000001F4,?), ref: 02F19CAC
                                                                    • lstrcpyA.KERNEL32(?,00000000), ref: 02F19D7A
                                                                    • lstrcatA.KERNEL32(?,?), ref: 02F19D8B
                                                                    • lstrcatA.KERNEL32(?,02F2070C), ref: 02F19D9D
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02F19DED
                                                                    • DeleteFileA.KERNEL32(00000022), ref: 02F19E38
                                                                    • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02F19E6F
                                                                    • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02F19EC8
                                                                    • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02F19ED5
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02F19F3B
                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02F19F5E
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02F19F6A
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02F19FAD
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02F19FB4
                                                                    • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02F19FFE
                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 02F1A038
                                                                    • lstrcatA.KERNEL32(00000022,02F20A34), ref: 02F1A05E
                                                                    • lstrcatA.KERNEL32(00000022,00000022), ref: 02F1A072
                                                                    • lstrcatA.KERNEL32(00000022,02F20A34), ref: 02F1A08D
                                                                    • wsprintfA.USER32 ref: 02F1A0B6
                                                                    • lstrcatA.KERNEL32(00000022,00000000), ref: 02F1A0DE
                                                                    • lstrcatA.KERNEL32(00000022,?), ref: 02F1A0FD
                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02F1A120
                                                                    • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02F1A131
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02F1A174
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 02F1A17B
                                                                    • GetDriveTypeA.KERNEL32(00000022), ref: 02F1A1B6
                                                                    • GetCommandLineA.KERNEL32 ref: 02F1A1E5
                                                                      • Part of subcall function 02F199D2: lstrcpyA.KERNEL32(?,?,00000100,02F222F8,00000000,?,02F19E9D,?,00000022,?,?,?,?,?,?,?), ref: 02F199DF
                                                                      • Part of subcall function 02F199D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02F19E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02F19A3C
                                                                      • Part of subcall function 02F199D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02F19E9D,?,00000022,?,?,?), ref: 02F19A52
                                                                    • lstrlenA.KERNEL32(?), ref: 02F1A288
                                                                    • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02F1A3B7
                                                                    • GetLastError.KERNEL32 ref: 02F1A3ED
                                                                    • Sleep.KERNELBASE(000003E8), ref: 02F1A400
                                                                    • DeleteFileA.KERNELBASE(02F233D8), ref: 02F1A407
                                                                    • CreateThread.KERNELBASE(00000000,00000000,02F1405E,00000000,00000000,00000000), ref: 02F1A42C
                                                                    • WSAStartup.WS2_32(00001010,?), ref: 02F1A43A
                                                                    • CreateThread.KERNELBASE(00000000,00000000,02F1877E,00000000,00000000,00000000), ref: 02F1A469
                                                                    • Sleep.KERNELBASE(00000BB8), ref: 02F1A48A
                                                                    • GetTickCount.KERNEL32 ref: 02F1A49F
                                                                    • GetTickCount.KERNEL32 ref: 02F1A4B7
                                                                    • Sleep.KERNELBASE(00001A90), ref: 02F1A4C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                    • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\soirllif\rdliobhf.exe$D$P$\$soirllif
                                                                    • API String ID: 2089075347-3576466545
                                                                    • Opcode ID: 730be17f447511e7976acbe5e8d128c6f21e3635856ecb8c2aa4b6319b13cae9
                                                                    • Instruction ID: 54aaf29cbf134defff27741ce710a757fb6bdd3e7e15ae9070588d60ea0cc309
                                                                    • Opcode Fuzzy Hash: 730be17f447511e7976acbe5e8d128c6f21e3635856ecb8c2aa4b6319b13cae9
                                                                    • Instruction Fuzzy Hash: 8752B9B2D4125DAFEB21DBA0CC49EDE77BCAF05384F8444A9E709E2140DB719A48CF61

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 905 2f1199c-2f119cc inet_addr LoadLibraryA 906 2f119d5-2f119fe GetProcAddress * 3 905->906 907 2f119ce-2f119d0 905->907 909 2f11ab3-2f11ab6 FreeLibrary 906->909 910 2f11a04-2f11a06 906->910 908 2f11abf-2f11ac2 907->908 911 2f11abc 909->911 910->909 912 2f11a0c-2f11a0e 910->912 914 2f11abe 911->914 912->909 913 2f11a14-2f11a28 GetBestInterface GetProcessHeap 912->913 913->911 915 2f11a2e-2f11a40 HeapAlloc 913->915 914->908 915->911 916 2f11a42-2f11a50 GetAdaptersInfo 915->916 917 2f11a62-2f11a67 916->917 918 2f11a52-2f11a60 HeapReAlloc 916->918 919 2f11aa1-2f11aad FreeLibrary 917->919 920 2f11a69-2f11a73 GetAdaptersInfo 917->920 918->917 919->911 922 2f11aaf-2f11ab1 919->922 920->919 921 2f11a75 920->921 923 2f11a77-2f11a80 921->923 922->914 924 2f11a82-2f11a86 923->924 925 2f11a8a-2f11a91 923->925 924->923 926 2f11a88 924->926 927 2f11a93 925->927 928 2f11a96-2f11a9b HeapFree 925->928 926->928 927->928 928->919
                                                                    APIs
                                                                    • inet_addr.WS2_32(123.45.67.89), ref: 02F119B1
                                                                    • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02F11E9E), ref: 02F119BF
                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02F119E2
                                                                    • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02F119ED
                                                                    • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02F119F9
                                                                    • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02F11E9E), ref: 02F11A1B
                                                                    • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02F11E9E), ref: 02F11A1D
                                                                    • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02F11E9E), ref: 02F11A36
                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,02F11E9E,?,?,?,?,00000001,02F11E9E), ref: 02F11A4A
                                                                    • HeapReAlloc.KERNEL32(?,00000000,00000000,02F11E9E,?,?,?,?,00000001,02F11E9E), ref: 02F11A5A
                                                                    • GetAdaptersInfo.IPHLPAPI(00000000,02F11E9E,?,?,?,?,00000001,02F11E9E), ref: 02F11A6E
                                                                    • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02F11E9E), ref: 02F11A9B
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02F11E9E), ref: 02F11AA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                    • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                    • API String ID: 293628436-270533642
                                                                    • Opcode ID: 0c4d0e96aabefff26a52b43c449bcaa5db26930ae43b645b3031d0b08738dacf
                                                                    • Instruction ID: db849760bb6e073315f16648cb875b703d45951d3af9758aff6ef4d2f0c06163
                                                                    • Opcode Fuzzy Hash: 0c4d0e96aabefff26a52b43c449bcaa5db26930ae43b645b3031d0b08738dacf
                                                                    • Instruction Fuzzy Hash: F9316F32E40219AFDB219FE4CC888BFBFB9EF56685B55057EE705A2140DB308A44CB60

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 696 2f17a95-2f17ac2 RegOpenKeyExA 697 2f17ac4-2f17ac6 696->697 698 2f17acb-2f17ae7 GetUserNameA 696->698 699 2f17db4-2f17db6 697->699 700 2f17da7-2f17db3 RegCloseKey 698->700 701 2f17aed-2f17b1e LookupAccountNameA 698->701 700->699 701->700 702 2f17b24-2f17b43 RegGetKeySecurity 701->702 702->700 703 2f17b49-2f17b61 GetSecurityDescriptorOwner 702->703 704 2f17b63-2f17b72 EqualSid 703->704 705 2f17bb8-2f17bd6 GetSecurityDescriptorDacl 703->705 704->705 706 2f17b74-2f17b88 LocalAlloc 704->706 707 2f17da6 705->707 708 2f17bdc-2f17be1 705->708 706->705 709 2f17b8a-2f17b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 2f17be7-2f17bf2 708->710 712 2f17bb1-2f17bb2 LocalFree 709->712 713 2f17b96-2f17ba4 SetSecurityDescriptorOwner 709->713 710->707 711 2f17bf8-2f17c08 GetAce 710->711 714 2f17cc6 711->714 715 2f17c0e-2f17c1b 711->715 712->705 713->712 716 2f17ba6-2f17bab RegSetKeySecurity 713->716 717 2f17cc9-2f17cd3 714->717 718 2f17c1d-2f17c2f EqualSid 715->718 719 2f17c4f-2f17c52 715->719 716->712 717->711 720 2f17cd9-2f17cdc 717->720 721 2f17c31-2f17c34 718->721 722 2f17c36-2f17c38 718->722 723 2f17c54-2f17c5e 719->723 724 2f17c5f-2f17c71 EqualSid 719->724 720->707 725 2f17ce2-2f17ce8 720->725 721->718 721->722 722->719 726 2f17c3a-2f17c4d DeleteAce 722->726 723->724 727 2f17c73-2f17c84 724->727 728 2f17c86 724->728 729 2f17d5a-2f17d6e LocalAlloc 725->729 730 2f17cea-2f17cf0 725->730 726->717 731 2f17c8b-2f17c8e 727->731 728->731 729->707 735 2f17d70-2f17d7a InitializeSecurityDescriptor 729->735 730->729 732 2f17cf2-2f17d0d RegOpenKeyExA 730->732 733 2f17c90-2f17c96 731->733 734 2f17c9d-2f17c9f 731->734 732->729 736 2f17d0f-2f17d16 732->736 733->734 737 2f17ca1-2f17ca5 734->737 738 2f17ca7-2f17cc3 734->738 739 2f17d7c-2f17d8a SetSecurityDescriptorDacl 735->739 740 2f17d9f-2f17da0 LocalFree 735->740 741 2f17d19-2f17d1e 736->741 737->714 737->738 738->714 739->740 742 2f17d8c-2f17d9a RegSetKeySecurity 739->742 740->707 741->741 744 2f17d20-2f17d52 call 2f12544 RegSetValueExA 741->744 742->740 743 2f17d9c 742->743 743->740 744->729 747 2f17d54 744->747 747->729
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02F17ABA
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 02F17ADF
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,02F2070C,?,?,?), ref: 02F17B16
                                                                    • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02F17B3B
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02F17B59
                                                                    • EqualSid.ADVAPI32(?,00000022), ref: 02F17B6A
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 02F17B7E
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02F17B8C
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02F17B9C
                                                                    • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02F17BAB
                                                                    • LocalFree.KERNEL32(00000000), ref: 02F17BB2
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,02F17FC9,?,00000000), ref: 02F17BCE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe$D
                                                                    • API String ID: 2976863881-130915176
                                                                    • Opcode ID: 973e52edc76a9d0405dcd01c20873d52789aec5f22c09723282a069056a93c31
                                                                    • Instruction ID: 5edb5a36a2f271d29e691e01581333cfa36e330c73872d697961a2cb90304499
                                                                    • Opcode Fuzzy Hash: 973e52edc76a9d0405dcd01c20873d52789aec5f22c09723282a069056a93c31
                                                                    • Instruction Fuzzy Hash: 65A14E72D4021DAFEB21DFA0CC84EEEFB79FB45784F454469E60AE2140DB358A45CB60

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 748 2f17809-2f17837 GetUserNameA 749 2f1783d-2f1786e LookupAccountNameA 748->749 750 2f17a8e-2f17a94 748->750 749->750 751 2f17874-2f178a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2f178a8-2f178c3 GetSecurityDescriptorOwner 751->752 753 2f178c5-2f178da EqualSid 752->753 754 2f1791d-2f1793b GetSecurityDescriptorDacl 752->754 753->754 757 2f178dc-2f178ed LocalAlloc 753->757 755 2f17941-2f17946 754->755 756 2f17a8d 754->756 755->756 758 2f1794c-2f17955 755->758 756->750 757->754 759 2f178ef-2f178f9 InitializeSecurityDescriptor 757->759 758->756 760 2f1795b-2f1796b GetAce 758->760 761 2f17916-2f17917 LocalFree 759->761 762 2f178fb-2f17909 SetSecurityDescriptorOwner 759->762 763 2f17971-2f1797e 760->763 764 2f17a2a 760->764 761->754 762->761 765 2f1790b-2f17910 SetFileSecurityA 762->765 766 2f17980-2f17992 EqualSid 763->766 767 2f179ae-2f179b1 763->767 768 2f17a2d-2f17a37 764->768 765->761 769 2f17994-2f17997 766->769 770 2f17999-2f1799b 766->770 772 2f179b3-2f179bd 767->772 773 2f179be-2f179d0 EqualSid 767->773 768->760 771 2f17a3d-2f17a41 768->771 769->766 769->770 770->767 774 2f1799d-2f179ac DeleteAce 770->774 771->756 775 2f17a43-2f17a54 LocalAlloc 771->775 772->773 776 2f179d2-2f179e3 773->776 777 2f179e5 773->777 774->768 775->756 778 2f17a56-2f17a60 InitializeSecurityDescriptor 775->778 779 2f179ea-2f179ed 776->779 777->779 780 2f17a62-2f17a71 SetSecurityDescriptorDacl 778->780 781 2f17a86-2f17a87 LocalFree 778->781 782 2f179f8-2f179fb 779->782 783 2f179ef-2f179f5 779->783 780->781 786 2f17a73-2f17a81 SetFileSecurityA 780->786 781->756 784 2f17a03-2f17a0e 782->784 785 2f179fd-2f17a01 782->785 783->782 787 2f17a10-2f17a17 784->787 788 2f17a19-2f17a24 784->788 785->764 785->784 786->781 789 2f17a83 786->789 790 2f17a27 787->790 788->790 789->781 790->764
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 02F1782F
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02F17866
                                                                    • GetLengthSid.ADVAPI32(?), ref: 02F17878
                                                                    • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02F1789A
                                                                    • GetSecurityDescriptorOwner.ADVAPI32(?,02F17F63,?), ref: 02F178B8
                                                                    • EqualSid.ADVAPI32(?,02F17F63), ref: 02F178D2
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 02F178E3
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02F178F1
                                                                    • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02F17901
                                                                    • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02F17910
                                                                    • LocalFree.KERNEL32(00000000), ref: 02F17917
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02F17933
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 02F17963
                                                                    • EqualSid.ADVAPI32(?,02F17F63), ref: 02F1798A
                                                                    • DeleteAce.ADVAPI32(?,00000000), ref: 02F179A3
                                                                    • EqualSid.ADVAPI32(?,02F17F63), ref: 02F179C5
                                                                    • LocalAlloc.KERNEL32(00000040,00000014), ref: 02F17A4A
                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02F17A58
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02F17A69
                                                                    • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02F17A79
                                                                    • LocalFree.KERNEL32(00000000), ref: 02F17A87
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                    • String ID: D
                                                                    • API String ID: 3722657555-2746444292
                                                                    • Opcode ID: 577b01b5f8f487479e798cf68531869abe88e325da43a2820410ede62c93f251
                                                                    • Instruction ID: 8394a735326f970c9fb16e86cb2f316b5335f06bc413e10c437138318452f595
                                                                    • Opcode Fuzzy Hash: 577b01b5f8f487479e798cf68531869abe88e325da43a2820410ede62c93f251
                                                                    • Instruction Fuzzy Hash: 77816D72D0011DABDB21DFA1CD44FEEFBB8AF09785F45446AE609E2150DB348649CFA0

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 791 2f18328-2f1833e call 2f17dd6 794 2f18340-2f18343 791->794 795 2f18348-2f18356 call 2f16ec3 791->795 797 2f1877b-2f1877d 794->797 799 2f1846b-2f18474 795->799 800 2f1835c-2f18378 call 2f173ff 795->800 802 2f185c2-2f185ce 799->802 803 2f1847a-2f18480 799->803 810 2f18464-2f18466 800->810 811 2f1837e-2f18384 800->811 805 2f185d0-2f185da call 2f1675c 802->805 806 2f18615-2f18620 802->806 803->802 807 2f18486-2f184ba call 2f12544 RegOpenKeyExA 803->807 818 2f185df-2f185eb 805->818 808 2f186a7-2f186b0 call 2f16ba7 806->808 809 2f18626-2f1864c GetTempPathA call 2f18274 call 2f1eca5 806->809 824 2f184c0-2f184db RegQueryValueExA 807->824 825 2f18543-2f18571 call 2f12544 RegOpenKeyExA 807->825 826 2f18762 808->826 827 2f186b6-2f186bd call 2f17e2f 808->827 846 2f18671-2f186a4 call 2f12544 call 2f1ef00 call 2f1ee2a 809->846 847 2f1864e-2f1866f call 2f1eca5 809->847 817 2f18779-2f1877a 810->817 811->810 816 2f1838a-2f1838d 811->816 816->810 822 2f18393-2f18399 816->822 817->797 818->806 823 2f185ed-2f185ef 818->823 829 2f1839c-2f183a1 822->829 823->806 830 2f185f1-2f185fa 823->830 832 2f18521-2f1852d RegCloseKey 824->832 833 2f184dd-2f184e1 824->833 852 2f18573-2f1857b 825->852 853 2f185a5-2f185b7 call 2f1ee2a 825->853 836 2f18768-2f1876b 826->836 858 2f186c3-2f1873b call 2f1ee2a * 2 lstrcpyA lstrlenA call 2f17fcf CreateProcessA 827->858 859 2f1875b-2f1875c DeleteFileA 827->859 829->829 838 2f183a3-2f183af 829->838 830->806 840 2f185fc-2f1860f call 2f124c2 830->840 832->825 839 2f1852f-2f18541 call 2f1eed1 832->839 833->832 834 2f184e3-2f184e6 833->834 834->832 842 2f184e8-2f184f6 call 2f1ebcc 834->842 844 2f18776-2f18778 836->844 845 2f1876d-2f18775 call 2f1ec2e 836->845 848 2f183b1 838->848 849 2f183b3-2f183ba 838->849 839->825 839->853 840->806 840->836 842->832 875 2f184f8-2f18513 RegQueryValueExA 842->875 844->817 845->844 846->808 847->846 848->849 864 2f18450-2f1845f call 2f1ee2a 849->864 865 2f183c0-2f183fb call 2f12544 RegOpenKeyExA 849->865 855 2f1857e-2f18583 852->855 853->802 876 2f185b9-2f185c1 call 2f1ec2e 853->876 855->855 866 2f18585-2f1859f RegSetValueExA RegCloseKey 855->866 899 2f1873d-2f1874d CloseHandle * 2 858->899 900 2f1874f-2f1875a call 2f17ee6 call 2f17ead 858->900 859->826 864->802 865->864 885 2f183fd-2f1841c RegQueryValueExA 865->885 866->853 875->832 881 2f18515-2f1851e call 2f1ec2e 875->881 876->802 881->832 886 2f1842d-2f18441 RegSetValueExA 885->886 887 2f1841e-2f18421 885->887 894 2f18447-2f1844a RegCloseKey 886->894 887->886 893 2f18423-2f18426 887->893 893->886 897 2f18428-2f1842b 893->897 894->864 897->886 897->894 899->836 900->859
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02F20750,?,?,00000000,localcfg,00000000), ref: 02F183F3
                                                                    • RegQueryValueExA.KERNELBASE(02F20750,?,00000000,?,02F18893,?,?,?,00000000,00000103,02F20750,?,?,00000000,localcfg,00000000), ref: 02F18414
                                                                    • RegSetValueExA.KERNELBASE(02F20750,?,00000000,00000004,02F18893,00000004,?,?,00000000,00000103,02F20750,?,?,00000000,localcfg,00000000), ref: 02F18441
                                                                    • RegCloseKey.ADVAPI32(02F20750,?,?,00000000,00000103,02F20750,?,?,00000000,localcfg,00000000), ref: 02F1844A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseOpenQuery
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe$localcfg
                                                                    • API String ID: 237177642-2022263889
                                                                    • Opcode ID: 579ddcd656f2deb09c6f03fe8d8c6135e3329e69f269b6d77b4cc6f1b4583755
                                                                    • Instruction ID: 239dcec225dcf35bb38aad9683846f355a6d927e8829b3fdc8675b3562a33af4
                                                                    • Opcode Fuzzy Hash: 579ddcd656f2deb09c6f03fe8d8c6135e3329e69f269b6d77b4cc6f1b4583755
                                                                    • Instruction Fuzzy Hash: 4DC192B2D8010DBEFB21AB94DD85EEEBB7DEB157C4F540469FB05A2140EB304A588F21

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetVersionExA.KERNEL32 ref: 02F11DC6
                                                                    • GetSystemInfo.KERNELBASE(?), ref: 02F11DE8
                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02F11E03
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02F11E0A
                                                                    • GetCurrentProcess.KERNEL32(?), ref: 02F11E1B
                                                                    • GetTickCount.KERNEL32 ref: 02F11FC9
                                                                      • Part of subcall function 02F11BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02F11C15
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                    • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                    • API String ID: 4207808166-1381319158
                                                                    • Opcode ID: 01d6bb202f41ed2c804328764f2a3cee8cddde10dd598783ec65fa7501197d4a
                                                                    • Instruction ID: ebfe8d785f1dca8a843e60758efd35fc47dc9ade40f78280dae521d9bc3b0f2b
                                                                    • Opcode Fuzzy Hash: 01d6bb202f41ed2c804328764f2a3cee8cddde10dd598783ec65fa7501197d4a
                                                                    • Instruction Fuzzy Hash: 245184B19043486FF330AF658C85F27BAECEB557C8F84091DFB4A82141DB75A908CB65

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 999 2f173ff-2f17419 1000 2f1741b 999->1000 1001 2f1741d-2f17422 999->1001 1000->1001 1002 2f17424 1001->1002 1003 2f17426-2f1742b 1001->1003 1002->1003 1004 2f17430-2f17435 1003->1004 1005 2f1742d 1003->1005 1006 2f17437 1004->1006 1007 2f1743a-2f17481 call 2f16dc2 call 2f12544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2f17487-2f1749d call 2f1ee2a 1007->1012 1013 2f177f9-2f177fe call 2f1ee2a 1007->1013 1019 2f17703-2f1770e RegEnumKeyA 1012->1019 1018 2f17801 1013->1018 1022 2f17804-2f17808 1018->1022 1020 2f174a2-2f174b1 call 2f16cad 1019->1020 1021 2f17714-2f1771d RegCloseKey 1019->1021 1025 2f174b7-2f174cc call 2f1f1a5 1020->1025 1026 2f176ed-2f17700 1020->1026 1021->1018 1025->1026 1029 2f174d2-2f174f8 RegOpenKeyExA 1025->1029 1026->1019 1030 2f17727-2f1772a 1029->1030 1031 2f174fe-2f17530 call 2f12544 RegQueryValueExA 1029->1031 1032 2f17755-2f17764 call 2f1ee2a 1030->1032 1033 2f1772c-2f17740 call 2f1ef00 1030->1033 1031->1030 1039 2f17536-2f1753c 1031->1039 1044 2f176df-2f176e2 1032->1044 1041 2f17742-2f17745 RegCloseKey 1033->1041 1042 2f1774b-2f1774e 1033->1042 1043 2f1753f-2f17544 1039->1043 1041->1042 1046 2f177ec-2f177f7 RegCloseKey 1042->1046 1043->1043 1045 2f17546-2f1754b 1043->1045 1044->1026 1047 2f176e4-2f176e7 RegCloseKey 1044->1047 1045->1032 1048 2f17551-2f1756b call 2f1ee95 1045->1048 1046->1022 1047->1026 1048->1032 1051 2f17571-2f17593 call 2f12544 call 2f1ee95 1048->1051 1056 2f17753 1051->1056 1057 2f17599-2f175a0 1051->1057 1056->1032 1058 2f175a2-2f175c6 call 2f1ef00 call 2f1ed03 1057->1058 1059 2f175c8-2f175d7 call 2f1ed03 1057->1059 1065 2f175d8-2f175da 1058->1065 1059->1065 1067 2f175dc 1065->1067 1068 2f175df-2f17623 call 2f1ee95 call 2f12544 call 2f1ee95 call 2f1ee2a 1065->1068 1067->1068 1077 2f17626-2f1762b 1068->1077 1077->1077 1078 2f1762d-2f17634 1077->1078 1079 2f17637-2f1763c 1078->1079 1079->1079 1080 2f1763e-2f17642 1079->1080 1081 2f17644-2f17656 call 2f1ed77 1080->1081 1082 2f1765c-2f17673 call 2f1ed23 1080->1082 1081->1082 1087 2f17769-2f1777c call 2f1ef00 1081->1087 1088 2f17680 1082->1088 1089 2f17675-2f1767e 1082->1089 1094 2f177e3-2f177e6 RegCloseKey 1087->1094 1090 2f17683-2f1768e call 2f16cad 1088->1090 1089->1090 1096 2f17722-2f17725 1090->1096 1097 2f17694-2f176bf call 2f1f1a5 call 2f16c96 1090->1097 1094->1046 1098 2f176dd 1096->1098 1103 2f176c1-2f176c7 1097->1103 1104 2f176d8 1097->1104 1098->1044 1103->1104 1105 2f176c9-2f176d2 1103->1105 1104->1098 1105->1104 1106 2f1777e-2f17797 GetFileAttributesExA 1105->1106 1107 2f17799 1106->1107 1108 2f1779a-2f1779f 1106->1108 1107->1108 1109 2f177a1 1108->1109 1110 2f177a3-2f177a8 1108->1110 1109->1110 1111 2f177c4-2f177c8 1110->1111 1112 2f177aa-2f177c0 call 2f1ee08 1110->1112 1114 2f177d7-2f177dc 1111->1114 1115 2f177ca-2f177d6 call 2f1ef00 1111->1115 1112->1111 1118 2f177e0-2f177e2 1114->1118 1119 2f177de 1114->1119 1115->1114 1118->1094 1119->1118
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 02F17472
                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F174F0
                                                                    • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F17528
                                                                    • ___ascii_stricmp.LIBCMT ref: 02F1764D
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F176E7
                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02F17706
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F17717
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F17745
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F177EF
                                                                      • Part of subcall function 02F1F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02F222F8,000000C8,02F17150,?), ref: 02F1F1AD
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02F1778F
                                                                    • RegCloseKey.KERNELBASE(?), ref: 02F177E6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                    • String ID: "
                                                                    • API String ID: 3433985886-123907689
                                                                    • Opcode ID: 22bfe9d8ae4ef31c015e8d1b2b4a2fffed04b3a1e85345b5d18448d2f1ea5a30
                                                                    • Instruction ID: 7be587ebbcb706a6cc390a121a7c9fd1c0ff1dc778001cda7ffedc481daaa333
                                                                    • Opcode Fuzzy Hash: 22bfe9d8ae4ef31c015e8d1b2b4a2fffed04b3a1e85345b5d18448d2f1ea5a30
                                                                    • Instruction Fuzzy Hash: 8DC19472D40219AFEB21EBA4DC44FEEBBB9EF45390F540495E608E6190EB31DA44CF60

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1121 2f1675c-2f16778 1122 2f16784-2f167a2 CreateFileA 1121->1122 1123 2f1677a-2f1677e SetFileAttributesA 1121->1123 1124 2f167b5-2f167b8 1122->1124 1125 2f167a4-2f167b2 CreateFileA 1122->1125 1123->1122 1126 2f167c5-2f167c9 1124->1126 1127 2f167ba-2f167bf SetFileAttributesA 1124->1127 1125->1124 1128 2f16977-2f16986 1126->1128 1129 2f167cf-2f167df GetFileSize 1126->1129 1127->1126 1130 2f167e5-2f167e7 1129->1130 1131 2f1696b 1129->1131 1130->1131 1133 2f167ed-2f1680b ReadFile 1130->1133 1132 2f1696e-2f16971 FindCloseChangeNotification 1131->1132 1132->1128 1133->1131 1134 2f16811-2f16824 SetFilePointer 1133->1134 1134->1131 1135 2f1682a-2f16842 ReadFile 1134->1135 1135->1131 1136 2f16848-2f16861 SetFilePointer 1135->1136 1136->1131 1137 2f16867-2f16876 1136->1137 1138 2f168d5-2f168df 1137->1138 1139 2f16878-2f1688f ReadFile 1137->1139 1138->1132 1142 2f168e5-2f168eb 1138->1142 1140 2f16891-2f1689e 1139->1140 1141 2f168d2 1139->1141 1143 2f168a0-2f168b5 1140->1143 1144 2f168b7-2f168ba 1140->1144 1141->1138 1145 2f168f0-2f168fe call 2f1ebcc 1142->1145 1146 2f168ed 1142->1146 1147 2f168bd-2f168c3 1143->1147 1144->1147 1145->1131 1152 2f16900-2f1690b SetFilePointer 1145->1152 1146->1145 1150 2f168c5 1147->1150 1151 2f168c8-2f168ce 1147->1151 1150->1151 1151->1139 1153 2f168d0 1151->1153 1154 2f1695a-2f16969 call 2f1ec2e 1152->1154 1155 2f1690d-2f16920 ReadFile 1152->1155 1153->1138 1154->1132 1155->1154 1156 2f16922-2f16958 1155->1156 1156->1132
                                                                    APIs
                                                                    • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 02F1677E
                                                                    • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 02F1679A
                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 02F167B0
                                                                    • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 02F167BF
                                                                    • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 02F167D3
                                                                    • ReadFile.KERNELBASE(000000FF,?,00000040,02F18244,00000000,?,74DF0F10,00000000), ref: 02F16807
                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F1681F
                                                                    • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 02F1683E
                                                                    • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F1685C
                                                                    • ReadFile.KERNEL32(000000FF,?,00000028,02F18244,00000000,?,74DF0F10,00000000), ref: 02F1688B
                                                                    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 02F16906
                                                                    • ReadFile.KERNEL32(000000FF,?,00000000,02F18244,00000000,?,74DF0F10,00000000), ref: 02F1691C
                                                                    • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 02F16971
                                                                      • Part of subcall function 02F1EC2E: GetProcessHeap.KERNEL32(00000000,02F1EA27,00000000,02F1EA27,00000000), ref: 02F1EC41
                                                                      • Part of subcall function 02F1EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02F1EC48
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                    • String ID:
                                                                    • API String ID: 1400801100-0
                                                                    • Opcode ID: f78989e0c88b0c2020c359cdffcfbd58957e5fca0b4dfcbc886427e239d93816
                                                                    • Instruction ID: 7621e214a595d63ad044abad5f7d3827e039c03857c97499337a8aafd81dcb1f
                                                                    • Opcode Fuzzy Hash: f78989e0c88b0c2020c359cdffcfbd58957e5fca0b4dfcbc886427e239d93816
                                                                    • Instruction Fuzzy Hash: FC71F472D0021DEFDB158FA4CC80AEEBBB9EF04394F50456AEA15E6190E7309E56DF60

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1159 2f1f315-2f1f332 1160 2f1f334-2f1f336 1159->1160 1161 2f1f33b-2f1f372 call 2f1ee2a htons socket 1159->1161 1162 2f1f424-2f1f427 1160->1162 1165 2f1f382-2f1f39b ioctlsocket 1161->1165 1166 2f1f374-2f1f37d closesocket 1161->1166 1167 2f1f3aa-2f1f3f0 connect select 1165->1167 1168 2f1f39d 1165->1168 1166->1162 1170 2f1f421 1167->1170 1171 2f1f3f2-2f1f401 __WSAFDIsSet 1167->1171 1169 2f1f39f-2f1f3a8 closesocket 1168->1169 1172 2f1f423 1169->1172 1170->1172 1171->1169 1173 2f1f403-2f1f416 ioctlsocket call 2f1f26d 1171->1173 1172->1162 1175 2f1f41b-2f1f41f 1173->1175 1175->1172
                                                                    APIs
                                                                    • htons.WS2_32(02F1CA1D), ref: 02F1F34D
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 02F1F367
                                                                    • closesocket.WS2_32(00000000), ref: 02F1F375
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesockethtonssocket
                                                                    • String ID: time_cfg
                                                                    • API String ID: 311057483-2401304539
                                                                    • Opcode ID: 49ee634565d722d8181d96c1cc9ac302e06a38e6432a0054e489abd982e73112
                                                                    • Instruction ID: ad4893a8101d15cb8fe89b694db6597343cd93217b67b2bb27c1b66a61e5e6fa
                                                                    • Opcode Fuzzy Hash: 49ee634565d722d8181d96c1cc9ac302e06a38e6432a0054e489abd982e73112
                                                                    • Instruction Fuzzy Hash: 7E316D7294021DABDB109FA5EC859EEBBBCFF49390F50466AFA15D2140E7309A458BA0

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1176 2f1405e-2f1407b CreateEventA 1177 2f14084-2f140a8 call 2f13ecd call 2f14000 1176->1177 1178 2f1407d-2f14081 1176->1178 1183 2f14130-2f1413e call 2f1ee2a 1177->1183 1184 2f140ae-2f140be call 2f1ee2a 1177->1184 1189 2f1413f-2f14165 call 2f13ecd CreateNamedPipeA 1183->1189 1184->1183 1190 2f140c0-2f140f1 call 2f1eca5 call 2f13f18 call 2f13f8c 1184->1190 1195 2f14167-2f14174 Sleep 1189->1195 1196 2f14188-2f14193 ConnectNamedPipe 1189->1196 1207 2f140f3-2f140ff 1190->1207 1208 2f14127-2f1412a CloseHandle 1190->1208 1195->1189 1200 2f14176-2f14182 CloseHandle 1195->1200 1198 2f14195-2f141a5 GetLastError 1196->1198 1199 2f141ab-2f141c0 call 2f13f8c 1196->1199 1198->1199 1202 2f1425e-2f14265 DisconnectNamedPipe 1198->1202 1199->1196 1209 2f141c2-2f141f2 call 2f13f18 call 2f13f8c 1199->1209 1200->1196 1202->1196 1207->1208 1210 2f14101-2f14121 call 2f13f18 ExitProcess 1207->1210 1208->1183 1209->1202 1217 2f141f4-2f14200 1209->1217 1217->1202 1218 2f14202-2f14215 call 2f13f8c 1217->1218 1218->1202 1221 2f14217-2f1421b 1218->1221 1221->1202 1222 2f1421d-2f14230 call 2f13f8c 1221->1222 1222->1202 1225 2f14232-2f14236 1222->1225 1225->1196 1226 2f1423c-2f14251 call 2f13f18 1225->1226 1229 2f14253-2f14259 1226->1229 1230 2f1426a-2f14276 CloseHandle * 2 call 2f1e318 1226->1230 1229->1196 1232 2f1427b 1230->1232 1232->1232
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02F14070
                                                                    • ExitProcess.KERNEL32 ref: 02F14121
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventExitProcess
                                                                    • String ID:
                                                                    • API String ID: 2404124870-0
                                                                    • Opcode ID: c6c759a15656fff70e1631fa3047293d3ce70bd45d214be461d06310bf0727fc
                                                                    • Instruction ID: 77d4147e5034a7ef5c770e7a9020b53471550c90313872aaab051ca79e3549dc
                                                                    • Opcode Fuzzy Hash: c6c759a15656fff70e1631fa3047293d3ce70bd45d214be461d06310bf0727fc
                                                                    • Instruction Fuzzy Hash: 6951A3B2D40219BBEB21AAA19C45FFFBB7DEF55794F800065FB10B6080E7318A45CB61

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1233 2f12d21-2f12d44 GetModuleHandleA 1234 2f12d46-2f12d52 LoadLibraryA 1233->1234 1235 2f12d5b-2f12d69 GetProcAddress 1233->1235 1234->1235 1236 2f12d54-2f12d56 1234->1236 1235->1236 1237 2f12d6b-2f12d7b DnsQuery_A 1235->1237 1239 2f12dee-2f12df1 1236->1239 1237->1236 1238 2f12d7d-2f12d88 1237->1238 1240 2f12deb 1238->1240 1241 2f12d8a-2f12d8b 1238->1241 1240->1239 1242 2f12d90-2f12d95 1241->1242 1243 2f12de2-2f12de8 1242->1243 1244 2f12d97-2f12daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2f12dea 1243->1245 1244->1245 1246 2f12dac-2f12dd9 call 2f1ee2a lstrcpynA 1244->1246 1245->1240 1249 2f12de0 1246->1249 1250 2f12ddb-2f12dde 1246->1250 1249->1243 1250->1243
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02F12F01,?,02F120FF,02F22000), ref: 02F12D3A
                                                                    • LoadLibraryA.KERNEL32(?), ref: 02F12D4A
                                                                    • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02F12D61
                                                                    • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02F12D77
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02F12D99
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 02F12DA0
                                                                    • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02F12DCB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                    • String ID: DnsQuery_A$dnsapi.dll
                                                                    • API String ID: 233223969-3847274415
                                                                    • Opcode ID: ab557056014b98b7bec9d2b184d38914a0fd142c31af21fa9767252649505df0
                                                                    • Instruction ID: 8dfe6bc8dc20bbb76476588dde53bebb5460efefc8e00c65375ff35e92b102a9
                                                                    • Opcode Fuzzy Hash: ab557056014b98b7bec9d2b184d38914a0fd142c31af21fa9767252649505df0
                                                                    • Instruction Fuzzy Hash: 60216072D4023AABDB219F94DC48AAEBBB8FF19B90F514416FE06E7100D77099859BD0

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1251 2f180c9-2f180ed call 2f16ec3 1254 2f180f9-2f18115 call 2f1704c 1251->1254 1255 2f180ef call 2f17ee6 1251->1255 1260 2f18225-2f1822b 1254->1260 1261 2f1811b-2f18121 1254->1261 1258 2f180f4 1255->1258 1258->1260 1262 2f1822d-2f18233 1260->1262 1263 2f1826c-2f18273 1260->1263 1261->1260 1264 2f18127-2f1812a 1261->1264 1262->1263 1265 2f18235-2f1823f call 2f1675c 1262->1265 1264->1260 1266 2f18130-2f18167 call 2f12544 RegOpenKeyExA 1264->1266 1269 2f18244-2f1824b 1265->1269 1272 2f18216-2f18222 call 2f1ee2a 1266->1272 1273 2f1816d-2f1818b RegQueryValueExA 1266->1273 1269->1263 1271 2f1824d-2f18269 call 2f124c2 call 2f1ec2e 1269->1271 1271->1263 1272->1260 1275 2f181f7-2f181fe 1273->1275 1276 2f1818d-2f18191 1273->1276 1280 2f18200-2f18206 call 2f1ec2e 1275->1280 1281 2f1820d-2f18210 RegCloseKey 1275->1281 1276->1275 1282 2f18193-2f18196 1276->1282 1289 2f1820c 1280->1289 1281->1272 1282->1275 1285 2f18198-2f181a8 call 2f1ebcc 1282->1285 1285->1281 1291 2f181aa-2f181c2 RegQueryValueExA 1285->1291 1289->1281 1291->1275 1292 2f181c4-2f181ca 1291->1292 1293 2f181cd-2f181d2 1292->1293 1293->1293 1294 2f181d4-2f181e5 call 2f1ebcc 1293->1294 1294->1281 1297 2f181e7-2f181f5 call 2f1ef00 1294->1297 1297->1289
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F1815F
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02F1A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F18187
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02F1A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F181BE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F18210
                                                                      • Part of subcall function 02F1675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 02F1677E
                                                                      • Part of subcall function 02F1675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 02F1679A
                                                                      • Part of subcall function 02F1675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 02F167B0
                                                                      • Part of subcall function 02F1675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 02F167BF
                                                                      • Part of subcall function 02F1675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 02F167D3
                                                                      • Part of subcall function 02F1675C: ReadFile.KERNELBASE(000000FF,?,00000040,02F18244,00000000,?,74DF0F10,00000000), ref: 02F16807
                                                                      • Part of subcall function 02F1675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F1681F
                                                                      • Part of subcall function 02F1675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 02F1683E
                                                                      • Part of subcall function 02F1675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F1685C
                                                                      • Part of subcall function 02F1EC2E: GetProcessHeap.KERNEL32(00000000,02F1EA27,00000000,02F1EA27,00000000), ref: 02F1EC41
                                                                      • Part of subcall function 02F1EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02F1EC48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                    • String ID: C:\Windows\SysWOW64\soirllif\rdliobhf.exe
                                                                    • API String ID: 124786226-812669611
                                                                    • Opcode ID: 724150f9a50eb03cda6a654d491359b9188e3c4adc37452734c588161de5274e
                                                                    • Instruction ID: 15a3b1064726825baef4c718e60f1d56696e23470827de8698a571e2e00de74c
                                                                    • Opcode Fuzzy Hash: 724150f9a50eb03cda6a654d491359b9188e3c4adc37452734c588161de5274e
                                                                    • Instruction Fuzzy Hash: F34181B2D4015DBFFB25EBA09E80DBEB76D9B053C4F94086AEA05E7000EB305A58CB51

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1300 2f11ac3-2f11adc LoadLibraryA 1301 2f11ae2-2f11af3 GetProcAddress 1300->1301 1302 2f11b6b-2f11b70 1300->1302 1303 2f11af5-2f11b01 1301->1303 1304 2f11b6a 1301->1304 1305 2f11b1c-2f11b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2f11b03-2f11b12 call 2f1ebed 1305->1306 1307 2f11b29-2f11b2b 1305->1307 1306->1307 1318 2f11b14-2f11b1b 1306->1318 1309 2f11b5b-2f11b5e 1307->1309 1310 2f11b2d-2f11b32 1307->1310 1311 2f11b60-2f11b68 call 2f1ec2e 1309->1311 1312 2f11b69 1309->1312 1310->1312 1314 2f11b34-2f11b3b 1310->1314 1311->1312 1312->1304 1315 2f11b54-2f11b59 1314->1315 1316 2f11b3d-2f11b52 1314->1316 1315->1309 1315->1314 1316->1315 1316->1316 1318->1305
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02F11AD4
                                                                    • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02F11AE9
                                                                    • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02F11B20
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                    • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                    • API String ID: 3646706440-1087626847
                                                                    • Opcode ID: dfffe0f90793c3547895e701162b324574354d3ae876adac0dc0e43af1d9d7a3
                                                                    • Instruction ID: e26eb3a7e92f6b4485f76d3f348fb2abd7212716937e40f8be39b6baa54e09d6
                                                                    • Opcode Fuzzy Hash: dfffe0f90793c3547895e701162b324574354d3ae876adac0dc0e43af1d9d7a3
                                                                    • Instruction Fuzzy Hash: CC11DA72E01138BFDB11DBA9DC848EFFBB9EB44B90B95405AE309A3140E7305A44CB94

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1320 2f1e3ca-2f1e3ee RegOpenKeyExA 1321 2f1e3f4-2f1e3fb 1320->1321 1322 2f1e528-2f1e52d 1320->1322 1323 2f1e3fe-2f1e403 1321->1323 1323->1323 1324 2f1e405-2f1e40f 1323->1324 1325 2f1e411-2f1e413 1324->1325 1326 2f1e414-2f1e452 call 2f1ee08 call 2f1f1ed RegQueryValueExA 1324->1326 1325->1326 1331 2f1e458-2f1e486 call 2f1f1ed RegQueryValueExA 1326->1331 1332 2f1e51d-2f1e527 RegCloseKey 1326->1332 1335 2f1e488-2f1e48a 1331->1335 1332->1322 1335->1332 1336 2f1e490-2f1e4a1 call 2f1db2e 1335->1336 1336->1332 1339 2f1e4a3-2f1e4a6 1336->1339 1340 2f1e4a9-2f1e4d3 call 2f1f1ed RegQueryValueExA 1339->1340 1343 2f1e4d5-2f1e4da 1340->1343 1344 2f1e4e8-2f1e4ea 1340->1344 1343->1344 1345 2f1e4dc-2f1e4e6 1343->1345 1344->1332 1346 2f1e4ec-2f1e516 call 2f12544 call 2f1e332 1344->1346 1345->1340 1345->1344 1346->1332
                                                                    APIs
                                                                    • RegOpenKeyExA.KERNELBASE(80000001,02F1E5F2,00000000,00020119,02F1E5F2,02F222F8), ref: 02F1E3E6
                                                                    • RegQueryValueExA.ADVAPI32(02F1E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02F1E44E
                                                                    • RegQueryValueExA.ADVAPI32(02F1E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02F1E482
                                                                    • RegQueryValueExA.ADVAPI32(02F1E5F2,?,00000000,?,80000001,?), ref: 02F1E4CF
                                                                    • RegCloseKey.ADVAPI32(02F1E5F2,?,?,?,?,000000C8,000000E4), ref: 02F1E520
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: QueryValue$CloseOpen
                                                                    • String ID:
                                                                    • API String ID: 1586453840-0
                                                                    • Opcode ID: fc60f9877d7a94746b4064aee561bc59314f3f5e10ff21b5f00cf774d2341194
                                                                    • Instruction ID: 7ae3e197548befaddf3e9587722d7090b2988df92ab0d7cf98dad07acfec910e
                                                                    • Opcode Fuzzy Hash: fc60f9877d7a94746b4064aee561bc59314f3f5e10ff21b5f00cf774d2341194
                                                                    • Instruction Fuzzy Hash: 1B4109B2D0021DAFEF119FD4DC85DEEBBBDEB08384F544566EA11E2150E3319A159F60

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1351 2f1f26d-2f1f303 setsockopt * 5
                                                                    APIs
                                                                    • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02F1F2A0
                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02F1F2C0
                                                                    • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02F1F2DD
                                                                    • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02F1F2EC
                                                                    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02F1F2FD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: setsockopt
                                                                    • String ID:
                                                                    • API String ID: 3981526788-0
                                                                    • Opcode ID: 8e1124a05c361682b87cc902e682f877d577585e3cf101a060003f225fbde4cb
                                                                    • Instruction ID: bb347f60b1fc18f746bd9716e1db20b2996a51cb224ecc36a6ba6d66d22c079a
                                                                    • Opcode Fuzzy Hash: 8e1124a05c361682b87cc902e682f877d577585e3cf101a060003f225fbde4cb
                                                                    • Instruction Fuzzy Hash: AA110DB2A40248BAEF11DF94CD41FDE7FBDEB44751F004066BB04EA1D0E6B19A44CB94

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1352 2f11bdf-2f11c04 call 2f11ac3 1354 2f11c09-2f11c0b 1352->1354 1355 2f11c5a-2f11c5e 1354->1355 1356 2f11c0d-2f11c1d GetComputerNameA 1354->1356 1357 2f11c45-2f11c57 GetVolumeInformationA 1356->1357 1358 2f11c1f-2f11c24 1356->1358 1357->1355 1358->1357 1359 2f11c26-2f11c3b 1358->1359 1359->1359 1360 2f11c3d-2f11c3f 1359->1360 1360->1357 1361 2f11c41-2f11c43 1360->1361 1361->1355
                                                                    APIs
                                                                      • Part of subcall function 02F11AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02F11AD4
                                                                      • Part of subcall function 02F11AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02F11AE9
                                                                      • Part of subcall function 02F11AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02F11B20
                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 02F11C15
                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02F11C51
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                    • String ID: hi_id$localcfg
                                                                    • API String ID: 2794401326-2393279970
                                                                    • Opcode ID: 9c0768e1f53d7943cfc1b9deefaa8326be4f297e10b4fd3ad6ebbead4074cc41
                                                                    • Instruction ID: 526ef537c71bdbfbe3f5027070ba87883bbb9254f384a6ecbe7f36f1d7f06914
                                                                    • Opcode Fuzzy Hash: 9c0768e1f53d7943cfc1b9deefaa8326be4f297e10b4fd3ad6ebbead4074cc41
                                                                    • Instruction Fuzzy Hash: 3F0192B2E0421CBFEB50DAF8C8C49EFBBBCEB54689F500479E706E3540D6309E4496A0
                                                                    APIs
                                                                      • Part of subcall function 02F11AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02F11AD4
                                                                      • Part of subcall function 02F11AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02F11AE9
                                                                      • Part of subcall function 02F11AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02F11B20
                                                                    • GetComputerNameA.KERNEL32(?,0000000F), ref: 02F11BA3
                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02F11EFD,00000000,00000000,00000000,00000000), ref: 02F11BB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                    • String ID: localcfg
                                                                    • API String ID: 2794401326-1857712256
                                                                    • Opcode ID: e2f7ae0dff27d0c50de3f190fb7add49ee5f435c61dcbd92be47c7b755dbd8e4
                                                                    • Instruction ID: 7703717513c280ff6519880837b6c4b19e2a1618cf8d84e799dd41258c6235ba
                                                                    • Opcode Fuzzy Hash: e2f7ae0dff27d0c50de3f190fb7add49ee5f435c61dcbd92be47c7b755dbd8e4
                                                                    • Instruction Fuzzy Hash: 77018BB3E0010CBFEB00DAE9CC809EFFABDAB58694F550462AB01E3140D6705E088AA0
                                                                    APIs
                                                                    • inet_addr.WS2_32(00000001), ref: 02F12693
                                                                    • gethostbyname.WS2_32(00000001), ref: 02F1269F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynameinet_addr
                                                                    • String ID: time_cfg
                                                                    • API String ID: 1594361348-2401304539
                                                                    • Opcode ID: b49cfbf2e8d13b98763e612a8e3a68ab8099c352bf2858a6e7debd0a97fa31d3
                                                                    • Instruction ID: e928a6b2a524ce2411dcce67d97144899f888538487670921f5fe481db59be22
                                                                    • Opcode Fuzzy Hash: b49cfbf2e8d13b98763e612a8e3a68ab8099c352bf2858a6e7debd0a97fa31d3
                                                                    • Instruction Fuzzy Hash: F7E0C231A041218FCB208B28F844BD977E4EF063B0F424585F940C31D0CB30DC808B80
                                                                    APIs
                                                                      • Part of subcall function 02F1DD05: GetTickCount.KERNEL32 ref: 02F1DD0F
                                                                      • Part of subcall function 02F1DD05: InterlockedExchange.KERNEL32(02F236B4,00000001), ref: 02F1DD44
                                                                      • Part of subcall function 02F1DD05: GetCurrentThreadId.KERNEL32 ref: 02F1DD53
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,02F1A445), ref: 02F1E558
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,02F1A445), ref: 02F1E583
                                                                    • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,02F1A445), ref: 02F1E5B2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                    • String ID:
                                                                    • API String ID: 3683885500-0
                                                                    • Opcode ID: bc7d3c23c1059ea87d234b52629c6bbbcad76fc0d0e15a9d40546a832301eee9
                                                                    • Instruction ID: bdc6bd49a80aa689b15fecdeb22d350b649dd7d0c1d4cf93aed64d6d47bbd33d
                                                                    • Opcode Fuzzy Hash: bc7d3c23c1059ea87d234b52629c6bbbcad76fc0d0e15a9d40546a832301eee9
                                                                    • Instruction Fuzzy Hash: F02129B2A803143AF2207A615C45F9B7E5EDB66BD0F800458BF0EB12C3FA55E5148AB1
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000003E8), ref: 02F188A5
                                                                      • Part of subcall function 02F1F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02F1E342,00000000,75A8EA50,80000001,00000000,02F1E513,?,00000000,00000000,?,000000E4), ref: 02F1F089
                                                                      • Part of subcall function 02F1F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02F1E342,00000000,75A8EA50,80000001,00000000,02F1E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02F1F093
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$FileSystem$Sleep
                                                                    • String ID: localcfg$rresolv
                                                                    • API String ID: 1561729337-486471987
                                                                    • Opcode ID: d3c6d56053055ec81b3b3306c7e0a87c643d13b12752a2889355fe6e2a0cb1f2
                                                                    • Instruction ID: 33da497f2b6e3e4f5b78540027e3f042aa39ecc1a5e946415bc6ac3ecb3dd27a
                                                                    • Opcode Fuzzy Hash: d3c6d56053055ec81b3b3306c7e0a87c643d13b12752a2889355fe6e2a0cb1f2
                                                                    • Instruction Fuzzy Hash: AE21FD32A8C3056AF324F7646D41F6A3BDADB52BE4FD5041DFF04950C0EF91854889A2
                                                                    APIs
                                                                    • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02F222F8,02F142B6,00000000,00000001,02F222F8,00000000,?,02F198FD), ref: 02F14021
                                                                    • GetLastError.KERNEL32(?,02F198FD,00000001,00000100,02F222F8,02F1A3C7), ref: 02F1402C
                                                                    • Sleep.KERNEL32(000001F4,?,02F198FD,00000001,00000100,02F222F8,02F1A3C7), ref: 02F14046
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateErrorFileLastSleep
                                                                    • String ID:
                                                                    • API String ID: 408151869-0
                                                                    • Opcode ID: 61155e0cc4165c2fd44a2edf5b03c85b00fa31bba1cfb7a63b59ded6a900fc61
                                                                    • Instruction ID: 0dbbd5fe452e1019139a99e10793fe43330878e2e5125030feddad3031179f6a
                                                                    • Opcode Fuzzy Hash: 61155e0cc4165c2fd44a2edf5b03c85b00fa31bba1cfb7a63b59ded6a900fc61
                                                                    • Instruction Fuzzy Hash: A6F0A733A401056BE7354B35AC49B1A7261DBC2FA4F664B28F3B5EA0D0CB3044859F14
                                                                    APIs
                                                                    • GetEnvironmentVariableA.KERNEL32(02F1DC19,?,00000104), ref: 02F1DB7F
                                                                    • lstrcpyA.KERNEL32(?,02F228F8), ref: 02F1DBA4
                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02F1DBC2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                    • String ID:
                                                                    • API String ID: 2536392590-0
                                                                    • Opcode ID: fae9a860f5626b660e09d1efbb735d2e373781738ffb32a55bb8ade1a02d25de
                                                                    • Instruction ID: 5de81495e31c6321dc8007aa3919990af894774499f63cc617d7b1b3008fae61
                                                                    • Opcode Fuzzy Hash: fae9a860f5626b660e09d1efbb735d2e373781738ffb32a55bb8ade1a02d25de
                                                                    • Instruction Fuzzy Hash: 58F0B47194020DABEF21DF64DC49FD97B69BB10788F504594BB51A40D0DBF2D559CF10
                                                                    APIs
                                                                    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02F1EC5E
                                                                    • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02F1EC72
                                                                    • GetTickCount.KERNEL32 ref: 02F1EC78
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$CountFileInformationSystemTickVolume
                                                                    • String ID:
                                                                    • API String ID: 1209300637-0
                                                                    • Opcode ID: d25e58a00651a7f802ea13f20cf07375d5929c129bdc9b8ef1add300ce83902d
                                                                    • Instruction ID: c0a7ba60a7a82a536d753c80476ad5734d64ea6ca90733c704a42a50d8bc5a67
                                                                    • Opcode Fuzzy Hash: d25e58a00651a7f802ea13f20cf07375d5929c129bdc9b8ef1add300ce83902d
                                                                    • Instruction Fuzzy Hash: D0E01AF2C50108BFE710EBB0DC0EE6BB7BCEB09754F410A54B911D6080DA709A188B60
                                                                    APIs
                                                                    • gethostname.WS2_32(?,00000080), ref: 02F130D8
                                                                    • gethostbyname.WS2_32(?), ref: 02F130E2
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbynamegethostname
                                                                    • String ID:
                                                                    • API String ID: 3961807697-0
                                                                    • Opcode ID: bca95df4f816f14c4732dcd8023eb9f7853584754d6baaf6020b15c43d225891
                                                                    • Instruction ID: c80e2370ea83a21380cf1db122c40540d4cc56e0c864471672ad311053aa005f
                                                                    • Opcode Fuzzy Hash: bca95df4f816f14c4732dcd8023eb9f7853584754d6baaf6020b15c43d225891
                                                                    • Instruction Fuzzy Hash: 97E06572D0011D9BCB109BA8EC85F9A77ECBB05248F080465F905E3280EA34E5088790
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,02F1DB55,7FFF0001), ref: 02F1EC13
                                                                    • RtlReAllocateHeap.NTDLL(00000000,?,02F1DB55,7FFF0001), ref: 02F1EC1A
                                                                      • Part of subcall function 02F1EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02F1EBFE,7FFF0001,?,02F1DB55,7FFF0001), ref: 02F1EBD3
                                                                      • Part of subcall function 02F1EBCC: RtlAllocateHeap.NTDLL(00000000,?,02F1DB55,7FFF0001), ref: 02F1EBDA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateProcess
                                                                    • String ID:
                                                                    • API String ID: 1357844191-0
                                                                    • Opcode ID: 300f511a32c2ff16a808dafbe839df91cab714c0bd1468b16ed4fd873ffe62df
                                                                    • Instruction ID: c9b858500171f2f6be07ad371b755b3e52cbf533c31d2916e0fcb3fe4510401c
                                                                    • Opcode Fuzzy Hash: 300f511a32c2ff16a808dafbe839df91cab714c0bd1468b16ed4fd873ffe62df
                                                                    • Instruction Fuzzy Hash: 24E01A32544218BADF112A94EC08BA97B9AEB443E2F508015FE0D89460CB3289A0DA94
                                                                    APIs
                                                                      • Part of subcall function 02F1EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02F1EC0A,00000000,80000001,?,02F1DB55,7FFF0001), ref: 02F1EBAD
                                                                      • Part of subcall function 02F1EBA0: HeapSize.KERNEL32(00000000,?,02F1DB55,7FFF0001), ref: 02F1EBB4
                                                                    • GetProcessHeap.KERNEL32(00000000,02F1EA27,00000000,02F1EA27,00000000), ref: 02F1EC41
                                                                    • RtlFreeHeap.NTDLL(00000000), ref: 02F1EC48
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$FreeSize
                                                                    • String ID:
                                                                    • API String ID: 1305341483-0
                                                                    • Opcode ID: 804a66a183f179e64fe1f6cd064d42f5499d89714ef1416a270200da07a31d4c
                                                                    • Instruction ID: af088bbf5e555c418eaacf098ff14eae1651d7d7a24726c93497cfe2fa0ecde7
                                                                    • Opcode Fuzzy Hash: 804a66a183f179e64fe1f6cd064d42f5499d89714ef1416a270200da07a31d4c
                                                                    • Instruction Fuzzy Hash: ADC01233D462346BD5612650BC1CF9BBB58AF56791F4A080DF905660408B6058458AE1
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02F1EBFE,7FFF0001,?,02F1DB55,7FFF0001), ref: 02F1EBD3
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,02F1DB55,7FFF0001), ref: 02F1EBDA
                                                                      • Part of subcall function 02F1EB74: GetProcessHeap.KERNEL32(00000000,00000000,02F1EC28,00000000,?,02F1DB55,7FFF0001), ref: 02F1EB81
                                                                      • Part of subcall function 02F1EB74: HeapSize.KERNEL32(00000000,?,02F1DB55,7FFF0001), ref: 02F1EB88
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocateSize
                                                                    • String ID:
                                                                    • API String ID: 2559512979-0
                                                                    • Opcode ID: e79a6ea3f3134b293f5f6e7eecd403eba074ec0282df52dc26bb6a54c10198ec
                                                                    • Instruction ID: 821d5f5d38f19061799446ac5d9eb4115c705ed493391af5845fe957e02b2e57
                                                                    • Opcode Fuzzy Hash: e79a6ea3f3134b293f5f6e7eecd403eba074ec0282df52dc26bb6a54c10198ec
                                                                    • Instruction Fuzzy Hash: E1C0803394423067D61127A47C0CF9A7E94EF153D2F050408F605C1150CF3448508791
                                                                    APIs
                                                                    • recv.WS2_32(000000C8,?,00000000,02F1CA44), ref: 02F1F476
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: recv
                                                                    • String ID:
                                                                    • API String ID: 1507349165-0
                                                                    • Opcode ID: a17d6353079739885ffc10fa74f166956a3a7609b3937f136d751e413433daf2
                                                                    • Instruction ID: 93b3d66159dc33e5fb58fe6a4ad162e339df4ae3dc507f297b05c05e743daff0
                                                                    • Opcode Fuzzy Hash: a17d6353079739885ffc10fa74f166956a3a7609b3937f136d751e413433daf2
                                                                    • Instruction Fuzzy Hash: BDF08C3320064AAB9B119E9ADD84CAB3BAEFB892907440222FB04D3110D631E8208BA0
                                                                    APIs
                                                                    • closesocket.WS2_32(00000000), ref: 02F11992
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: closesocket
                                                                    • String ID:
                                                                    • API String ID: 2781271927-0
                                                                    • Opcode ID: 6c1b2773de50ea2cd6639e6f390f76c2a92348f47b09969e9baaf98662e7e8b2
                                                                    • Instruction ID: 023fdaaaa388a756fb0e9410d8f13d0e06c730d1b8f188e3b20b93559598a261
                                                                    • Opcode Fuzzy Hash: 6c1b2773de50ea2cd6639e6f390f76c2a92348f47b09969e9baaf98662e7e8b2
                                                                    • Instruction Fuzzy Hash: D5D022235482356A52102318BC0047FFB8CDF052E2781941FFE48C0040CB30C84187A1
                                                                    APIs
                                                                    • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02F1DDB5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 1586166983-0
                                                                    • Opcode ID: f90d42cca7b89fe3611e5af2dd087c371c4b6f551a9a2966310ed899ea6f8f05
                                                                    • Instruction ID: 390c3e7ca321c8548ba34c89a9b9eabb36fa8c52bc79a4164380b44ffd190608
                                                                    • Opcode Fuzzy Hash: f90d42cca7b89fe3611e5af2dd087c371c4b6f551a9a2966310ed899ea6f8f05
                                                                    • Instruction Fuzzy Hash: 23F08C32A00202CBCB30CE249884656B3F8EB877E9F95483EE756D2140DB30D85ACB11
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02F19816,EntryPoint), ref: 02F1638F
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02F19816,EntryPoint), ref: 02F163A9
                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02F163CA
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02F163EB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 1965334864-0
                                                                    • Opcode ID: 99f4a405d6f20e42abfc79d1bf43ceff0692376113d1d95ec1b97ed07af4d7e7
                                                                    • Instruction ID: 947a05a2109d8a9f08d29f858819b3cac0cc7f290a3c61ea5553e57fdf4ff32d
                                                                    • Opcode Fuzzy Hash: 99f4a405d6f20e42abfc79d1bf43ceff0692376113d1d95ec1b97ed07af4d7e7
                                                                    • Instruction Fuzzy Hash: 8711A3B2A00219BFEB218F65DC49F9B7BACEB057E4F014464FA04E7280DB71DC108BA0
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02F11839,02F19646), ref: 02F11012
                                                                    • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02F110C2
                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02F110E1
                                                                    • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02F11101
                                                                    • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02F11121
                                                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02F11140
                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02F11160
                                                                    • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02F11180
                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02F1119F
                                                                    • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02F111BF
                                                                    • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02F111DF
                                                                    • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02F111FE
                                                                    • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02F1121A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                    • API String ID: 2238633743-3228201535
                                                                    • Opcode ID: 22e7eb3ecf6261811c79ae0db20364e60f3f427e701813493e5ef9b1eb2d8ae4
                                                                    • Instruction ID: 1f5c8d3aa47d51165a9d5532cf97397168ae2968fb99a4f5e96818e60987c2ac
                                                                    • Opcode Fuzzy Hash: 22e7eb3ecf6261811c79ae0db20364e60f3f427e701813493e5ef9b1eb2d8ae4
                                                                    • Instruction Fuzzy Hash: 1D51F5B1E8265997E7308B68A860713B2AA634B6E4F060796DB29F21D0C778C09DCF55
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 02F1B2B3
                                                                    • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 02F1B2C2
                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02F1B2D0
                                                                    • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 02F1B2E1
                                                                    • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02F1B31A
                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 02F1B329
                                                                    • wsprintfA.USER32 ref: 02F1B3B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                    • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                    • API String ID: 766114626-2976066047
                                                                    • Opcode ID: 261658add2fa168816575c4e1aca94a3b54a4160e5b56f4c364013acfc0b4a75
                                                                    • Instruction ID: dac6c43248781d1798e153fcef042cadacce61c5a52a42f39f0a44f389bff5cd
                                                                    • Opcode Fuzzy Hash: 261658add2fa168816575c4e1aca94a3b54a4160e5b56f4c364013acfc0b4a75
                                                                    • Instruction Fuzzy Hash: 3E513AB2E4022CEADF15CFD4D9849EFBBB9AF5A388F10545DE601A6150DB344A9CCB90
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                    • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                    • API String ID: 2400214276-165278494
                                                                    • Opcode ID: 135338d43c4aa79774e2316fdde08348efdd5a565dca2c011b143452cd29a52f
                                                                    • Instruction ID: 5d5d585cdfbc379afc6d19d3ba75b78ca8df2aba68d0a2a38ef478123ba84563
                                                                    • Opcode Fuzzy Hash: 135338d43c4aa79774e2316fdde08348efdd5a565dca2c011b143452cd29a52f
                                                                    • Instruction Fuzzy Hash: CD619D72A40218AFEB209FB4DC45FEA77E9FF09340F108469FA69D2121EB709944CF10
                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 02F1A7FB
                                                                    • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 02F1A87E
                                                                    • send.WS2_32(00000000,?,00000000,00000000), ref: 02F1A893
                                                                    • wsprintfA.USER32 ref: 02F1A8AF
                                                                    • send.WS2_32(00000000,.,00000005,00000000), ref: 02F1A8D2
                                                                    • wsprintfA.USER32 ref: 02F1A8E2
                                                                    • recv.WS2_32(00000000,?,000003F6,00000000), ref: 02F1A97C
                                                                    • wsprintfA.USER32 ref: 02F1A9B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$send$lstrlenrecv
                                                                    • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                    • API String ID: 3650048968-2394369944
                                                                    • Opcode ID: 83122fbc0e304a2ae93175e59011ec4b8d564b20e753facae84544a769d72ff5
                                                                    • Instruction ID: 58ff1c2362602eb52b00db28863a4e3c5375e936bdc505e510f3c7cf22c0736a
                                                                    • Opcode Fuzzy Hash: 83122fbc0e304a2ae93175e59011ec4b8d564b20e753facae84544a769d72ff5
                                                                    • Instruction Fuzzy Hash: 32A16E73E42359ABEF20CA54DC85FAE776AEB113D8F940456FB02A6080DB318548CF51
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(?), ref: 02F1139A
                                                                    • lstrlenW.KERNEL32(-00000003), ref: 02F11571
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExecuteShelllstrlen
                                                                    • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                    • API String ID: 1628651668-179334549
                                                                    • Opcode ID: 1b94d427176eed7847bf5ec0809b4d77a97724f447e5ec77be61c6a5a1ac8b8c
                                                                    • Instruction ID: 8ead2579c10e9ab7641310cf20dcea616140e5f6d869b1b0e10c045f190c551c
                                                                    • Opcode Fuzzy Hash: 1b94d427176eed7847bf5ec0809b4d77a97724f447e5ec77be61c6a5a1ac8b8c
                                                                    • Instruction Fuzzy Hash: 31F16AB5A083459FD320DF64C888B6BB7E5FB8A384F41491DFB9A97380D7749848CB52
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 02F12A83
                                                                    • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 02F12A86
                                                                    • socket.WS2_32(00000002,00000002,00000011), ref: 02F12AA0
                                                                    • htons.WS2_32(00000000), ref: 02F12ADB
                                                                    • select.WS2_32 ref: 02F12B28
                                                                    • recv.WS2_32(?,00000000,00001000,00000000), ref: 02F12B4A
                                                                    • htons.WS2_32(?), ref: 02F12B71
                                                                    • htons.WS2_32(?), ref: 02F12B8C
                                                                    • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02F12BFB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                    • String ID:
                                                                    • API String ID: 1639031587-0
                                                                    • Opcode ID: 099e4b2a977d995a86163bcb3909915442e3971e439fb06ae962930b3f217de1
                                                                    • Instruction ID: 4cf1aade1dc650fb9c49c84c73f9fc95765395cfa41fe8d4f75df434f8023c98
                                                                    • Opcode Fuzzy Hash: 099e4b2a977d995a86163bcb3909915442e3971e439fb06ae962930b3f217de1
                                                                    • Instruction Fuzzy Hash: C361C1729043299FD7209FA4DC08B6ABBE8FB997E5F41080DFF4597180DBB0D8548BA1
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 02F170C2
                                                                    • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 02F1719E
                                                                    • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 02F171B2
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F17208
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F17291
                                                                    • ___ascii_stricmp.LIBCMT ref: 02F172C2
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F172D0
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F17314
                                                                    • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02F1738D
                                                                    • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F173D8
                                                                      • Part of subcall function 02F1F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02F222F8,000000C8,02F17150,?), ref: 02F1F1AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                    • String ID: $"
                                                                    • API String ID: 4293430545-3817095088
                                                                    • Opcode ID: 9f8193f86d71eb8d3d7dae80cc8bffa46513274e1a36c33eb86b12383db08562
                                                                    • Instruction ID: 802be0d6e96dcc02e0bab8e14740ea96f2130e48aa3e573b367315d81ca47208
                                                                    • Opcode Fuzzy Hash: 9f8193f86d71eb8d3d7dae80cc8bffa46513274e1a36c33eb86b12383db08562
                                                                    • Instruction Fuzzy Hash: 1DB19772D44219AEEF15EFA0DC44BEEB7B9EF04380F900469FA05E6090EB719A44CF65
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 02F1AD98
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 02F1ADA6
                                                                      • Part of subcall function 02F1AD08: gethostname.WS2_32(?,00000080), ref: 02F1AD1C
                                                                      • Part of subcall function 02F1AD08: lstrlenA.KERNEL32(00000000), ref: 02F1AD60
                                                                      • Part of subcall function 02F1AD08: lstrlenA.KERNEL32(00000000), ref: 02F1AD69
                                                                      • Part of subcall function 02F1AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02F1AD7F
                                                                      • Part of subcall function 02F130B5: gethostname.WS2_32(?,00000080), ref: 02F130D8
                                                                      • Part of subcall function 02F130B5: gethostbyname.WS2_32(?), ref: 02F130E2
                                                                    • wsprintfA.USER32 ref: 02F1AEA5
                                                                      • Part of subcall function 02F1A7A3: inet_ntoa.WS2_32(?), ref: 02F1A7A9
                                                                    • wsprintfA.USER32 ref: 02F1AE4F
                                                                    • wsprintfA.USER32 ref: 02F1AE5E
                                                                      • Part of subcall function 02F1EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02F1EF92
                                                                      • Part of subcall function 02F1EF7C: lstrlenA.KERNEL32(?), ref: 02F1EF99
                                                                      • Part of subcall function 02F1EF7C: lstrlenA.KERNEL32(00000000), ref: 02F1EFA0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                    • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                    • API String ID: 3631595830-1816598006
                                                                    • Opcode ID: 9ccfa89319fccba711677673440dccbb9801d5016e0abcdd65fa51c4fb8bd2ba
                                                                    • Instruction ID: e8756dd0367807bbfd601a0a86bfaa765a4e3f90b40da38be852d4d2f957e462
                                                                    • Opcode Fuzzy Hash: 9ccfa89319fccba711677673440dccbb9801d5016e0abcdd65fa51c4fb8bd2ba
                                                                    • Instruction Fuzzy Hash: 7F411DB290021CABEF25AFA0DC45EEE3BADFB59380F54041AFE1592151EA71D558CF60
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,02F12F0F,?,02F120FF,02F22000), ref: 02F12E01
                                                                    • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02F12F0F,?,02F120FF,02F22000), ref: 02F12E11
                                                                    • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02F12E2E
                                                                    • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02F12F0F,?,02F120FF,02F22000), ref: 02F12E4C
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,02F12F0F,?,02F120FF,02F22000), ref: 02F12E4F
                                                                    • htons.WS2_32(00000035), ref: 02F12E88
                                                                    • inet_addr.WS2_32(?), ref: 02F12E93
                                                                    • gethostbyname.WS2_32(?), ref: 02F12EA6
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02F12F0F,?,02F120FF,02F22000), ref: 02F12EE3
                                                                    • HeapFree.KERNEL32(00000000,?,00000000,02F12F0F,?,02F120FF,02F22000), ref: 02F12EE6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                    • String ID: GetNetworkParams$iphlpapi.dll
                                                                    • API String ID: 929413710-2099955842
                                                                    • Opcode ID: f716fdc7b4714f8b8efb4c95c5b9e01eb6907b3076ecd8d25099d422a7afafa7
                                                                    • Instruction ID: c5f5f6523d3634978b37769563db1b52ed61c6995bca6786a7dbece50652003a
                                                                    • Opcode Fuzzy Hash: f716fdc7b4714f8b8efb4c95c5b9e01eb6907b3076ecd8d25099d422a7afafa7
                                                                    • Instruction Fuzzy Hash: 7B31E432E4022DABDB209BF89844B6EB778AF167E4F550519EE14E3280DF30C5418B50
                                                                    APIs
                                                                    • GetVersionExA.KERNEL32(?,?,02F19DD7,?,00000022,?,?,00000000,00000001), ref: 02F19340
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02F19DD7,?,00000022,?,?,00000000,00000001), ref: 02F1936E
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,02F19DD7,?,00000022,?,?,00000000,00000001), ref: 02F19375
                                                                    • wsprintfA.USER32 ref: 02F193CE
                                                                    • wsprintfA.USER32 ref: 02F1940C
                                                                    • wsprintfA.USER32 ref: 02F1948D
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02F194F1
                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02F19526
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02F19571
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                    • String ID: runas
                                                                    • API String ID: 3696105349-4000483414
                                                                    • Opcode ID: 100dc8fa02cc42f8091e61f66a815ada482e631cb2a9032f60e122c2177d5101
                                                                    • Instruction ID: 470f6c069744e440b952e7c4a0df047206392af84bd89d721d726a097cec32a8
                                                                    • Opcode Fuzzy Hash: 100dc8fa02cc42f8091e61f66a815ada482e631cb2a9032f60e122c2177d5101
                                                                    • Instruction Fuzzy Hash: F3A17CB294025CABFB219FA0CC95FDE7BADEB15780F50042AFB05A2151E7B1D548CFA1
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F12078
                                                                    • GetTickCount.KERNEL32 ref: 02F120D4
                                                                    • GetTickCount.KERNEL32 ref: 02F120DB
                                                                    • GetTickCount.KERNEL32 ref: 02F1212B
                                                                    • GetTickCount.KERNEL32 ref: 02F12132
                                                                    • GetTickCount.KERNEL32 ref: 02F12142
                                                                      • Part of subcall function 02F1F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02F1E342,00000000,75A8EA50,80000001,00000000,02F1E513,?,00000000,00000000,?,000000E4), ref: 02F1F089
                                                                      • Part of subcall function 02F1F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02F1E342,00000000,75A8EA50,80000001,00000000,02F1E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02F1F093
                                                                      • Part of subcall function 02F1E854: lstrcpyA.KERNEL32(00000001,?,?,02F1D8DF,00000001,localcfg,except_info,00100000,02F20264), ref: 02F1E88B
                                                                      • Part of subcall function 02F1E854: lstrlenA.KERNEL32(00000001,?,02F1D8DF,00000001,localcfg,except_info,00100000,02F20264), ref: 02F1E899
                                                                      • Part of subcall function 02F11C5F: wsprintfA.USER32 ref: 02F11CE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                    • String ID: localcfg$net_type$qkD$rbl_bl$rbl_ip
                                                                    • API String ID: 3976553417-1533126414
                                                                    • Opcode ID: d3a5d2c34c94850c8c596374ce63f59fa0032d1e415f84cd89553082eabf1337
                                                                    • Instruction ID: 7470bcaae4265c9e951d49bfd752b7fe8ebb3991466147968f9435660fc5c114
                                                                    • Opcode Fuzzy Hash: d3a5d2c34c94850c8c596374ce63f59fa0032d1e415f84cd89553082eabf1337
                                                                    • Instruction Fuzzy Hash: 14512031E8430A4EF338EBA4ED44B56BBD5EB12BD4F91091DEF01860D4DBB1A65CCA10
                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 02F1B467
                                                                      • Part of subcall function 02F1EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02F1EF92
                                                                      • Part of subcall function 02F1EF7C: lstrlenA.KERNEL32(?), ref: 02F1EF99
                                                                      • Part of subcall function 02F1EF7C: lstrlenA.KERNEL32(00000000), ref: 02F1EFA0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$wsprintf
                                                                    • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                    • API String ID: 1220175532-2340906255
                                                                    • Opcode ID: fc7677822f94d2e5e871c359492de9a9008d63bc01ba25d08bcdc4c077b84737
                                                                    • Instruction ID: 4d02e7c99fbd43b93852ace0b24683f9e0e21786100a7ed6526e9c1490894790
                                                                    • Opcode Fuzzy Hash: fc7677822f94d2e5e871c359492de9a9008d63bc01ba25d08bcdc4c077b84737
                                                                    • Instruction Fuzzy Hash: CA4130B29411297EEF01AAA4CCC1DFF7B6DEE596D8F540019FF05B2100DA71A9298BA1
                                                                    APIs
                                                                      • Part of subcall function 02F1A4C7: GetTickCount.KERNEL32 ref: 02F1A4D1
                                                                      • Part of subcall function 02F1A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02F1A4FA
                                                                    • GetTickCount.KERNEL32 ref: 02F1C31F
                                                                    • GetTickCount.KERNEL32 ref: 02F1C32B
                                                                    • GetTickCount.KERNEL32 ref: 02F1C363
                                                                    • GetTickCount.KERNEL32 ref: 02F1C378
                                                                    • GetTickCount.KERNEL32 ref: 02F1C44D
                                                                    • InterlockedIncrement.KERNEL32(02F1C4E4), ref: 02F1C4AE
                                                                    • CreateThread.KERNEL32(00000000,00000000,02F1B535,00000000,?,02F1C4E0), ref: 02F1C4C1
                                                                    • CloseHandle.KERNEL32(00000000,?,02F1C4E0,02F23588,02F18810), ref: 02F1C4CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                    • String ID: localcfg
                                                                    • API String ID: 1553760989-1857712256
                                                                    • Opcode ID: 603437d4119eee8a8d8ddd09fd2dfd67779f42f80888dc81dc31c1fef3d0bf19
                                                                    • Instruction ID: 517df32e829c5fd1bf8e44f2dff6aa819a5779f36af93a970c3a32b8a2b9863b
                                                                    • Opcode Fuzzy Hash: 603437d4119eee8a8d8ddd09fd2dfd67779f42f80888dc81dc31c1fef3d0bf19
                                                                    • Instruction Fuzzy Hash: 94515AB1A40B418FD7248F69C68562AFBE9FB48384B905D3ED28BC7A90D774F844CB15
                                                                    APIs
                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02F1BE4F
                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02F1BE5B
                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02F1BE67
                                                                    • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02F1BF6A
                                                                    • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02F1BF7F
                                                                    • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02F1BF94
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmpi
                                                                    • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                    • API String ID: 1586166983-1625972887
                                                                    • Opcode ID: 507bf27f286474f5b4286727a2b5cbbccc4fa5088d84922e07a39a5633d5fba8
                                                                    • Instruction ID: de307c63de4cbd20f8849fa8665ea1c22fafc7f16fbdbf4d97a0029904f2b71a
                                                                    • Opcode Fuzzy Hash: 507bf27f286474f5b4286727a2b5cbbccc4fa5088d84922e07a39a5633d5fba8
                                                                    • Instruction Fuzzy Hash: 2B518476E0121AEFDB119BA5C940B5EBBA9AF057CCF844469EF429B210D730E945CF90
                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16A7D
                                                                    • GetDiskFreeSpaceA.KERNEL32(02F19E9D,02F19A60,?,?,?,02F222F8,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16ABB
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16B40
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16B4E
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16B5F
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16B6F
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16B7D
                                                                    • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02F19A60,?,?,02F19E9D), ref: 02F16B80
                                                                    • GetLastError.KERNEL32(?,?,?,02F19A60,?,?,02F19E9D,?,?,?,?,?,02F19E9D,?,00000022,?), ref: 02F16B96
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 3188212458-0
                                                                    • Opcode ID: 7c813a74a3756b2398380ec4452c409140cedd986203e68d250b8aaf8a4d1ac4
                                                                    • Instruction ID: 9484a1e578c56cab6bdc0c3d60b54c948f725eb229c172a30f98f9b807abeab1
                                                                    • Opcode Fuzzy Hash: 7c813a74a3756b2398380ec4452c409140cedd986203e68d250b8aaf8a4d1ac4
                                                                    • Instruction Fuzzy Hash: B731FDB3D0010DBFEB21EFA09C44E9EBB7DEB59384F45486AE611E3241EB3085588F61
                                                                    APIs
                                                                    • GetUserNameA.ADVAPI32(?,02F1D7C3), ref: 02F16F7A
                                                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02F1D7C3), ref: 02F16FC1
                                                                    • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02F16FE8
                                                                    • LocalFree.KERNEL32(00000120), ref: 02F1701F
                                                                    • wsprintfA.USER32 ref: 02F17036
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                    • String ID: /%d$|
                                                                    • API String ID: 676856371-4124749705
                                                                    • Opcode ID: b7156f2bb1b8cedcb580d6b5e4ed510488ff9edb6e95d35b851144bd70bee523
                                                                    • Instruction ID: 17e4d2821bafbd89e92c51443ee13a59e27456a9fd20cce728fa6ccc2d257b77
                                                                    • Opcode Fuzzy Hash: b7156f2bb1b8cedcb580d6b5e4ed510488ff9edb6e95d35b851144bd70bee523
                                                                    • Instruction Fuzzy Hash: 25312B72A00218AFDB11DFA9DC49ADA7BBCEF05394F14815AF919DB100EB35D608CB94
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02F222F8,000000E4,02F16DDC,000000C8), ref: 02F16CE7
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02F16CEE
                                                                    • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02F16D14
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02F16D2B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                    • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                    • API String ID: 1082366364-3395550214
                                                                    • Opcode ID: 653ae286bf26387c91fd4a785678b0d8f99f01ffc9024d8c48ae1cfd136b6ad3
                                                                    • Instruction ID: 19dbc97e3a329054d76e394fdeb5c129908db48524e6e29ef39434a9ef0aabdc
                                                                    • Opcode Fuzzy Hash: 653ae286bf26387c91fd4a785678b0d8f99f01ffc9024d8c48ae1cfd136b6ad3
                                                                    • Instruction Fuzzy Hash: EA215752E816697AF73157324C88F777E4D8B237C4F8E0448FF05E6180CB95864D86B5
                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(00000000,02F19947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02F222F8), ref: 02F197B1
                                                                    • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02F222F8), ref: 02F197EB
                                                                    • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02F222F8), ref: 02F197F9
                                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02F222F8), ref: 02F19831
                                                                    • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02F222F8), ref: 02F1984E
                                                                    • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02F222F8), ref: 02F1985B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                    • String ID: D
                                                                    • API String ID: 2981417381-2746444292
                                                                    • Opcode ID: 4f06d06bce3bb7968bbdbef1c36c19a06a2c923e07afbdd95eb7f54bff3bad29
                                                                    • Instruction ID: a1d27cfb8002009b8f7264c439257f93811f78f25408a6a93cc77f9da401327b
                                                                    • Opcode Fuzzy Hash: 4f06d06bce3bb7968bbdbef1c36c19a06a2c923e07afbdd95eb7f54bff3bad29
                                                                    • Instruction Fuzzy Hash: 52213D72D4112DBBEB219FA1DC49FEFBB7CEF05694F800464BA19E1040EB709654CBA0
                                                                    APIs
                                                                      • Part of subcall function 02F1DD05: GetTickCount.KERNEL32 ref: 02F1DD0F
                                                                      • Part of subcall function 02F1DD05: InterlockedExchange.KERNEL32(02F236B4,00000001), ref: 02F1DD44
                                                                      • Part of subcall function 02F1DD05: GetCurrentThreadId.KERNEL32 ref: 02F1DD53
                                                                      • Part of subcall function 02F1DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02F1DDB5
                                                                    • lstrcpynA.KERNEL32(?,02F11E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02F1EAAA,?,?), ref: 02F1E8DE
                                                                    • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02F1EAAA,?,?,00000001,?,02F11E84,?), ref: 02F1E935
                                                                    • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02F1EAAA,?,?,00000001,?,02F11E84,?,0000000A), ref: 02F1E93D
                                                                    • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02F1EAAA,?,?,00000001,?,02F11E84,?), ref: 02F1E94F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                    • String ID: flags_upd$localcfg
                                                                    • API String ID: 204374128-3505511081
                                                                    • Opcode ID: c4a7838bd9c98b0c103b4e6b099313bef0cbb091ab785841bd5484a9fa6278d8
                                                                    • Instruction ID: 9950f5b20183b16be5c15fc1c52218423760be8f79c0def485420432b4b15321
                                                                    • Opcode Fuzzy Hash: c4a7838bd9c98b0c103b4e6b099313bef0cbb091ab785841bd5484a9fa6278d8
                                                                    • Instruction Fuzzy Hash: 5B512D72D0020AAFCB11EFA8CD84DAEBBF9BF48344F55456AE905A7250D735EA148F50
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Code
                                                                    • String ID:
                                                                    • API String ID: 3609698214-0
                                                                    • Opcode ID: b11989f3f4385871897796a03e610b9a4c41cf02bb85cd0c6cbe8600015ebf2c
                                                                    • Instruction ID: e9cd0118ae92863d58611d6a787f2fd3933a35d0ffb8eb28d3e1b77e5b27a8a5
                                                                    • Opcode Fuzzy Hash: b11989f3f4385871897796a03e610b9a4c41cf02bb85cd0c6cbe8600015ebf2c
                                                                    • Instruction Fuzzy Hash: 81219377A04109FFEB259BB0ED48D9FBB6CDB057E5B514819F602E1040EB31DA14DA74
                                                                    APIs
                                                                    • GetTempPathA.KERNEL32(00000400,?,00000000,02F222F8), ref: 02F1907B
                                                                    • wsprintfA.USER32 ref: 02F190E9
                                                                    • CreateFileA.KERNEL32(02F222F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02F1910E
                                                                    • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02F19122
                                                                    • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02F1912D
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02F19134
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2439722600-0
                                                                    • Opcode ID: 338a72dda9c012752e701c9331db1543a4c25e1850e52af84e27812661c5273d
                                                                    • Instruction ID: eaf06a3b5ed6a2359355a8f8af1a00bf92294a78cc48813a45bce1dcfaba5159
                                                                    • Opcode Fuzzy Hash: 338a72dda9c012752e701c9331db1543a4c25e1850e52af84e27812661c5273d
                                                                    • Instruction Fuzzy Hash: FE119AB3B401187BF7256671DC09FAF766EDBE5B80F418469BB0AA5050EE704A158AA0
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F1DD0F
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02F1DD20
                                                                    • GetTickCount.KERNEL32 ref: 02F1DD2E
                                                                    • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,02F1E538,?,74DF0F10,?,00000000,?,02F1A445), ref: 02F1DD3B
                                                                    • InterlockedExchange.KERNEL32(02F236B4,00000001), ref: 02F1DD44
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02F1DD53
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 3819781495-0
                                                                    • Opcode ID: 207fdb848a4a9c4045b3b959c0f65f15237729af224f09cf65c440a7d3910700
                                                                    • Instruction ID: ecd78ed49f95bac0d7db9bac3a9af64f723557281c44b3f14f7ad0e0e0fb4297
                                                                    • Opcode Fuzzy Hash: 207fdb848a4a9c4045b3b959c0f65f15237729af224f09cf65c440a7d3910700
                                                                    • Instruction Fuzzy Hash: 5EF0B4B3A8410C9BE7609B65A894F25BBBAE767BD1F420859E70AD2140CB24506DCF22
                                                                    APIs
                                                                    • gethostname.WS2_32(?,00000080), ref: 02F1AD1C
                                                                    • lstrlenA.KERNEL32(00000000), ref: 02F1AD60
                                                                    • lstrlenA.KERNEL32(00000000), ref: 02F1AD69
                                                                    • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02F1AD7F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$gethostnamelstrcpy
                                                                    • String ID: LocalHost
                                                                    • API String ID: 3695455745-3154191806
                                                                    • Opcode ID: 5440c2c45f2eda495027aab5120421731e8e0dad60d5bfdeb7bfdaf5e3e3fbc9
                                                                    • Instruction ID: 180de773e0bffadfd6787d1175a651f32b046870b917d6bb25b7312edfb3e52c
                                                                    • Opcode Fuzzy Hash: 5440c2c45f2eda495027aab5120421731e8e0dad60d5bfdeb7bfdaf5e3e3fbc9
                                                                    • Instruction Fuzzy Hash: F2014921C8698D5DDF3146388844BB47F769BA76CAFC00055E6C28B115EF248047CB51
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F14BDD
                                                                    • GetTickCount.KERNEL32 ref: 02F14BEC
                                                                    • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,02F15D02,00000000,?,02F1B85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 02F14BF9
                                                                    • InterlockedExchange.KERNEL32(0341B190,00000001), ref: 02F14C02
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 2207858713-2903620461
                                                                    • Opcode ID: 737df82da844dcb3fab4fe915cda8cedeace90b3c9cf96df69a439115e55ed6d
                                                                    • Instruction ID: 9ba9968f19ccad0a9713b7e052de3515953241c5c322615023db7217e335d6d6
                                                                    • Opcode Fuzzy Hash: 737df82da844dcb3fab4fe915cda8cedeace90b3c9cf96df69a439115e55ed6d
                                                                    • Instruction Fuzzy Hash: 15E07D3778020C17D72092B55C80F56B35CEBD6BE1F430436F708D3140CE52941041B1
                                                                    APIs
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02F198FD,00000001,00000100,02F222F8,02F1A3C7), ref: 02F14290
                                                                    • CloseHandle.KERNEL32(02F1A3C7), ref: 02F143AB
                                                                    • CloseHandle.KERNEL32(00000001), ref: 02F143AE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$CreateEvent
                                                                    • String ID:
                                                                    • API String ID: 1371578007-0
                                                                    • Opcode ID: 587a5a5fcd7b4e121c063c8a7ecdd9c14a555b7f0f72ce75374c1e2a986a34fc
                                                                    • Instruction ID: 906187b9c5b9d287e96204d6ad8a987f6631178995657096070517c6cc9fa788
                                                                    • Opcode Fuzzy Hash: 587a5a5fcd7b4e121c063c8a7ecdd9c14a555b7f0f72ce75374c1e2a986a34fc
                                                                    • Instruction Fuzzy Hash: 37418DB2D00209BBEF20ABA1DD85FAFBFB9EF453A4F504555F614A2180DB348651DBA0
                                                                    APIs
                                                                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02F164CF,00000000), ref: 02F1609C
                                                                    • LoadLibraryA.KERNEL32(?,?,02F164CF,00000000), ref: 02F160C3
                                                                    • GetProcAddress.KERNEL32(?,00000014), ref: 02F1614A
                                                                    • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02F1619E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Read$AddressLibraryLoadProc
                                                                    • String ID:
                                                                    • API String ID: 2438460464-0
                                                                    • Opcode ID: 2da8ff1c8e4bdcd7788be3692e861edd6942da5902f94be94132b245f5f2403a
                                                                    • Instruction ID: 3d32f28b316f04e2c1b93cf4d1f94d9468b9580c439a04cb68c7c292d4e162a5
                                                                    • Opcode Fuzzy Hash: 2da8ff1c8e4bdcd7788be3692e861edd6942da5902f94be94132b245f5f2403a
                                                                    • Instruction Fuzzy Hash: E4417E72E00109EFEB24CF58C884BA9B7BDFF14798F548069EA15E7291DB30E954CB90
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: afaa63190f1469be4966882f6e259bbe02d3f7e50626193a75d71711759f5de7
                                                                    • Instruction ID: e1b6d5479c1d30511b68c963082cb037221814d8d7346f84dc1279cb3bde300c
                                                                    • Opcode Fuzzy Hash: afaa63190f1469be4966882f6e259bbe02d3f7e50626193a75d71711759f5de7
                                                                    • Instruction Fuzzy Hash: AF31A072A00229ABDB209FE9CC81BBEB7F4FF48781F504456EA04E6285E374D641CF50
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F1272E
                                                                    • htons.WS2_32(00000001), ref: 02F12752
                                                                    • htons.WS2_32(0000000F), ref: 02F127D5
                                                                    • htons.WS2_32(00000001), ref: 02F127E3
                                                                    • sendto.WS2_32(?,02F22BF8,00000009,00000000,00000010,00000010), ref: 02F12802
                                                                      • Part of subcall function 02F1EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02F1EBFE,7FFF0001,?,02F1DB55,7FFF0001), ref: 02F1EBD3
                                                                      • Part of subcall function 02F1EBCC: RtlAllocateHeap.NTDLL(00000000,?,02F1DB55,7FFF0001), ref: 02F1EBDA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                    • String ID:
                                                                    • API String ID: 1128258776-0
                                                                    • Opcode ID: 12b52f4edad1912be686cf550fd1b92b6f317985530b36331e73ff0b016fee41
                                                                    • Instruction ID: 67a49e3a419e4bcec6a8a8f423f1f4ae5f541109d01538380b22273d65aae426
                                                                    • Opcode Fuzzy Hash: 12b52f4edad1912be686cf550fd1b92b6f317985530b36331e73ff0b016fee41
                                                                    • Instruction Fuzzy Hash: 5A317B34A8038E9FDB20CFB4D880A66B760EF1A398BAB445DED558B302D732D456CB00
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02F222F8), ref: 02F1915F
                                                                    • GetModuleFileNameA.KERNEL32(00000000), ref: 02F19166
                                                                    • CharToOemA.USER32(?,?), ref: 02F19174
                                                                    • wsprintfA.USER32 ref: 02F191A9
                                                                      • Part of subcall function 02F19064: GetTempPathA.KERNEL32(00000400,?,00000000,02F222F8), ref: 02F1907B
                                                                      • Part of subcall function 02F19064: wsprintfA.USER32 ref: 02F190E9
                                                                      • Part of subcall function 02F19064: CreateFileA.KERNEL32(02F222F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02F1910E
                                                                      • Part of subcall function 02F19064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02F19122
                                                                      • Part of subcall function 02F19064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02F1912D
                                                                      • Part of subcall function 02F19064: CloseHandle.KERNEL32(00000000), ref: 02F19134
                                                                    • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02F191E1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                    • String ID:
                                                                    • API String ID: 3857584221-0
                                                                    • Opcode ID: cb595a928e1a95adbdefb01dce75a88cf13e6fd873ea427aa8a8829367c9161c
                                                                    • Instruction ID: 624344ab8c06bd3f697275a91366cb21ff31be43efb362015ce1a8350ec9fc56
                                                                    • Opcode Fuzzy Hash: cb595a928e1a95adbdefb01dce75a88cf13e6fd873ea427aa8a8829367c9161c
                                                                    • Instruction Fuzzy Hash: 040184F78401287BE73096618C49FDF7B7CDB96B41F010095BB05E1040DA7096888F70
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02F12491,?,?,?,02F1E844,-00000030,?,?,?,00000001), ref: 02F12429
                                                                    • lstrlenA.KERNEL32(?,?,02F12491,?,?,?,02F1E844,-00000030,?,?,?,00000001,02F11E3D,00000001,localcfg,lid_file_upd), ref: 02F1243E
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 02F12452
                                                                    • lstrlenA.KERNEL32(?,?,02F12491,?,?,?,02F1E844,-00000030,?,?,?,00000001,02F11E3D,00000001,localcfg,lid_file_upd), ref: 02F12467
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$lstrcmpi
                                                                    • String ID: localcfg
                                                                    • API String ID: 1808961391-1857712256
                                                                    • Opcode ID: c617ac07bebf42aac59da18267b972de755081b11deefd7c765a37efb75783f4
                                                                    • Instruction ID: 17bbd3d633700c190cfab5b1abf888467c45575e181e19e79d6f8e02858b2ec7
                                                                    • Opcode Fuzzy Hash: c617ac07bebf42aac59da18267b972de755081b11deefd7c765a37efb75783f4
                                                                    • Instruction Fuzzy Hash: D501DE32600228EFCF11EFA9DD859DE7BA9EF44394741C425EE5997101E730EE548A94
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf
                                                                    • String ID: %u.%u.%u.%u.%s$localcfg
                                                                    • API String ID: 2111968516-120809033
                                                                    • Opcode ID: b3b47d89d19eb34999b7c98d5a1b4d802b7896c2057e1bd396acea2b416b072a
                                                                    • Instruction ID: 0782ce317af6913c6b84bbca692462ce12d219de911302158d6f5fe4a277a779
                                                                    • Opcode Fuzzy Hash: b3b47d89d19eb34999b7c98d5a1b4d802b7896c2057e1bd396acea2b416b072a
                                                                    • Instruction Fuzzy Hash: 0D419A729042A89FDB21CFB98D44BEE7BE99F49350F240156FEA5D3141D635EA04CFA0
                                                                    APIs
                                                                      • Part of subcall function 02F1DD05: GetTickCount.KERNEL32 ref: 02F1DD0F
                                                                      • Part of subcall function 02F1DD05: InterlockedExchange.KERNEL32(02F236B4,00000001), ref: 02F1DD44
                                                                      • Part of subcall function 02F1DD05: GetCurrentThreadId.KERNEL32 ref: 02F1DD53
                                                                    • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,02F15EC1), ref: 02F1E693
                                                                    • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,02F15EC1), ref: 02F1E6E9
                                                                    • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,02F15EC1), ref: 02F1E722
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                    • String ID: 89ABCDEF
                                                                    • API String ID: 3343386518-71641322
                                                                    • Opcode ID: 3aa99a95b21394723432324fcb6182b129eb2d533887d960c921668ebefb7df2
                                                                    • Instruction ID: 58e4c5d96e9124c119b94c8f3825eaa490ec417bc73df4153d57458e64c9a105
                                                                    • Opcode Fuzzy Hash: 3aa99a95b21394723432324fcb6182b129eb2d533887d960c921668ebefb7df2
                                                                    • Instruction Fuzzy Hash: E131CD32A00319DFDB35CE60D884BA677E4AF067A4F94482AEF5687541D770E884CF80
                                                                    APIs
                                                                    • RegCreateKeyExA.ADVAPI32(80000001,02F1E2A3,00000000,00000000,00000000,00020106,00000000,02F1E2A3,00000000,000000E4), ref: 02F1E0B2
                                                                    • RegSetValueExA.ADVAPI32(02F1E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02F222F8), ref: 02F1E127
                                                                    • RegDeleteValueA.ADVAPI32(02F1E2A3,?,?,?,?,?,000000C8,02F222F8), ref: 02F1E158
                                                                    • RegCloseKey.ADVAPI32(02F1E2A3,?,?,?,?,000000C8,02F222F8,?,?,?,?,?,?,?,?,02F1E2A3), ref: 02F1E161
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value$CloseCreateDelete
                                                                    • String ID:
                                                                    • API String ID: 2667537340-0
                                                                    • Opcode ID: 75f94f7bf166afe119abdd1d5a0a34ac357d6a1c76056919eab5b48c8b936f1c
                                                                    • Instruction ID: 3ecb8e37c89ce41e327c661073f82f3c385d9596f6a5093bbe23fc39a3d1d014
                                                                    • Opcode Fuzzy Hash: 75f94f7bf166afe119abdd1d5a0a34ac357d6a1c76056919eab5b48c8b936f1c
                                                                    • Instruction Fuzzy Hash: 5F215E72E4021DBBEF219EA4DC89EDE7F79EF09B90F404061FE05A6150E7318A54DB90
                                                                    APIs
                                                                    • ReadFile.KERNEL32(00000000,00000000,02F1A3C7,00000000,00000000,000007D0,00000001), ref: 02F13FB8
                                                                    • GetLastError.KERNEL32 ref: 02F13FC2
                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 02F13FD3
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F13FE6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                    • String ID:
                                                                    • API String ID: 888215731-0
                                                                    • Opcode ID: 820e2e31d161a27523068924e82d210b7b2f958b0b43165cc3d44b9cdbeb826f
                                                                    • Instruction ID: 0e30d5c3c504aff96adb3fe1db862ee146d6711401ac9879b1d7367201bfcc83
                                                                    • Opcode Fuzzy Hash: 820e2e31d161a27523068924e82d210b7b2f958b0b43165cc3d44b9cdbeb826f
                                                                    • Instruction Fuzzy Hash: 0E01297391110AABEF15DF90D945BEE7B7CEB04395F404455FA02E2040D730DA288BB1
                                                                    APIs
                                                                    • WriteFile.KERNEL32(00000000,00000000,02F1A3C7,00000000,00000000,000007D0,00000001), ref: 02F13F44
                                                                    • GetLastError.KERNEL32 ref: 02F13F4E
                                                                    • WaitForSingleObject.KERNEL32(00000004,?), ref: 02F13F5F
                                                                    • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F13F72
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                    • String ID:
                                                                    • API String ID: 3373104450-0
                                                                    • Opcode ID: cf2bf50dea530c44dfa85756bf7b77081ab14f357453f4e800cff53b504510c4
                                                                    • Instruction ID: 6f0111a7b6d0ee6d2e5ee934cc607e433e5cd03dee6ca3b94611bc7c2d2b487f
                                                                    • Opcode Fuzzy Hash: cf2bf50dea530c44dfa85756bf7b77081ab14f357453f4e800cff53b504510c4
                                                                    • Instruction Fuzzy Hash: 1601E572911109ABEF15DE91ED84BEF7BBCEF047A5F5044A9FA01E2040D730DA249BB2
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F1A4D1
                                                                    • GetTickCount.KERNEL32 ref: 02F1A4E4
                                                                    • Sleep.KERNEL32(00000000,?,02F1C2E9,02F1C4E0,00000000,localcfg,?,02F1C4E0,02F23588,02F18810), ref: 02F1A4F1
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02F1A4FA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: c8ca613d4005f7fe99772fad939ecd34a62a6fde2e59f9bed0a333f7ec3ee551
                                                                    • Instruction ID: 4087c37fffff901e3e3d40eee436c0adbb734b1768c503cd5451d6b26fdbba4b
                                                                    • Opcode Fuzzy Hash: c8ca613d4005f7fe99772fad939ecd34a62a6fde2e59f9bed0a333f7ec3ee551
                                                                    • Instruction Fuzzy Hash: B9E0263364220857D61097A5AD84F6AB388AB4ABE1F420425FB04D3240CA1AA855C1B2
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F14E9E
                                                                    • GetTickCount.KERNEL32 ref: 02F14EAD
                                                                    • Sleep.KERNEL32(0000000A,?,00000001), ref: 02F14EBA
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02F14EC3
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: cf4b86b7cf52a16493a5753e55675b660f5ee8bd95b841dbff7932e7c0124b51
                                                                    • Instruction ID: ec5b1e53243a5ecb31e2be8fe202cd36e89b8286377933bda84bdd5c5e6112f6
                                                                    • Opcode Fuzzy Hash: cf4b86b7cf52a16493a5753e55675b660f5ee8bd95b841dbff7932e7c0124b51
                                                                    • Instruction Fuzzy Hash: 4CE07D3374020C17E620A3B9AC80F57B7499BD7BF0F020935F709C2140CA57D81242F1
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02F13103
                                                                    • GetTickCount.KERNEL32 ref: 02F1310F
                                                                    • Sleep.KERNEL32(00000000), ref: 02F1311C
                                                                    • InterlockedExchange.KERNEL32(?,00000001), ref: 02F13128
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick$ExchangeInterlockedSleep
                                                                    • String ID:
                                                                    • API String ID: 2207858713-0
                                                                    • Opcode ID: 8a641fe953535bc7257a6739009533e1eb4b6d28c393b633b8a468d17f93efdc
                                                                    • Instruction ID: f49ffaa5e42c11ae9943b0ba4254d65392cb5c3dd36d0325a9ab98df3dc865f7
                                                                    • Opcode Fuzzy Hash: 8a641fe953535bc7257a6739009533e1eb4b6d28c393b633b8a468d17f93efdc
                                                                    • Instruction Fuzzy Hash: 34E0C233F40219ABFB10AB75AD44B89BA5ADF95BE1F120879F305E6090CA504C188A71
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTick
                                                                    • String ID: localcfg
                                                                    • API String ID: 536389180-1857712256
                                                                    • Opcode ID: e2c89a1d795dbaaae382c17ca03d24e233db5706d6a2bc231622375674321d6d
                                                                    • Instruction ID: 99a10a7dda1ea4efc555f36201c47a559a31787e998508288fa8101e5ce7c977
                                                                    • Opcode Fuzzy Hash: e2c89a1d795dbaaae382c17ca03d24e233db5706d6a2bc231622375674321d6d
                                                                    • Instruction Fuzzy Hash: 8C210672E10719AFEB20CFB4DAD065ABBBAFF213D4BA60499D502D7101CB35E944CB50
                                                                    APIs
                                                                    Strings
                                                                    • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02F1C057
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountTickwsprintf
                                                                    • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                    • API String ID: 2424974917-1012700906
                                                                    • Opcode ID: ea85cc2d8dc55e3ea388ca793732fdc026862a8da8035e65813b1ebee87ee989
                                                                    • Instruction ID: 8421838e9ff7773a62decf34a5744517d57f712dd354f48100759e5ed290695e
                                                                    • Opcode Fuzzy Hash: ea85cc2d8dc55e3ea388ca793732fdc026862a8da8035e65813b1ebee87ee989
                                                                    • Instruction Fuzzy Hash: 7B11B772100100FFDB529AA9CD44E567FA6FF8C358B34819CF2188E126D633C823EB50
                                                                    APIs
                                                                      • Part of subcall function 02F130FA: GetTickCount.KERNEL32 ref: 02F13103
                                                                      • Part of subcall function 02F130FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02F13128
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02F13929
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02F13939
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 3716169038-2903620461
                                                                    • Opcode ID: 69e382f49f0b5dd23cd09fcfc3c5622b3da7171e22ee89978c6fca264d9700d4
                                                                    • Instruction ID: e958ac73ac98d6dedf58afbcc84178b916329081e22a870754e5da13faa56a0f
                                                                    • Opcode Fuzzy Hash: 69e382f49f0b5dd23cd09fcfc3c5622b3da7171e22ee89978c6fca264d9700d4
                                                                    • Instruction Fuzzy Hash: 15114F71940218EFD720DF16D491A5CF3F6FB057A5F91899EEE4597280C770AA84CFA0
                                                                    APIs
                                                                    • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,02F1BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 02F1ABB9
                                                                    • InterlockedIncrement.KERNEL32(02F23640), ref: 02F1ABE1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: IncrementInterlockedlstrcpyn
                                                                    • String ID: %FROM_EMAIL
                                                                    • API String ID: 224340156-2903620461
                                                                    • Opcode ID: d1a87b0ab57ed096a238b8e2503083f6de44349b1c96518f6f9256286f08faa7
                                                                    • Instruction ID: 296f9125614a5c6fafec0ba03d15a6cbbf0478dc4a9278736598de232d41291d
                                                                    • Opcode Fuzzy Hash: d1a87b0ab57ed096a238b8e2503083f6de44349b1c96518f6f9256286f08faa7
                                                                    • Instruction Fuzzy Hash: 0001B1719093D4AFEB21CF18D881F967FAABF16394F554888F68047203C374E584CBA0
                                                                    APIs
                                                                    • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02F126C3
                                                                    • inet_ntoa.WS2_32(?), ref: 02F126E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: gethostbyaddrinet_ntoa
                                                                    • String ID: localcfg
                                                                    • API String ID: 2112563974-1857712256
                                                                    • Opcode ID: 183da34ab445efd64267e978c05a24f06964883716d341eb177b48438fbc8472
                                                                    • Instruction ID: b3ae761e550d543df8602d843caab4aa83a8cafc670c83ff66297c9923803b67
                                                                    • Opcode Fuzzy Hash: 183da34ab445efd64267e978c05a24f06964883716d341eb177b48438fbc8472
                                                                    • Instruction Fuzzy Hash: BCF012336482196BEB04AFA4EC05AAA379DDB05690F544466FE08DA0D0EB71D9509B98
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll,02F1EB54,_alldiv,02F1F0B7,80000001,00000000,00989680,00000000,?,?,?,02F1E342,00000000,75A8EA50,80000001,00000000), ref: 02F1EAF2
                                                                    • GetProcAddress.KERNEL32(76E90000,00000000), ref: 02F1EB07
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: ntdll.dll
                                                                    • API String ID: 2574300362-2227199552
                                                                    • Opcode ID: 6c87438c7272f0ecc90c3af2e025a012d0203a2629cf60d2f7a48d508a3cadd3
                                                                    • Instruction ID: 21a2597a5d2992a1153f1858f3abf1503dc4e7709791289951d194560488cf69
                                                                    • Opcode Fuzzy Hash: 6c87438c7272f0ecc90c3af2e025a012d0203a2629cf60d2f7a48d508a3cadd3
                                                                    • Instruction Fuzzy Hash: F9D0C775F4030A57AF31CF64950AE05BAECF751FC17814855A507D1501DB35D41CDB04
                                                                    APIs
                                                                      • Part of subcall function 02F12D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02F12F01,?,02F120FF,02F22000), ref: 02F12D3A
                                                                      • Part of subcall function 02F12D21: LoadLibraryA.KERNEL32(?), ref: 02F12D4A
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02F12F73
                                                                    • HeapFree.KERNEL32(00000000), ref: 02F12F7A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000C.00000002.2944514600.0000000002F10000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F10000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_12_2_2f10000_svchost.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                    • String ID:
                                                                    • API String ID: 1017166417-0
                                                                    • Opcode ID: 45a62da44e8cc9358703e43fd5a94f66e6f485653edfa5415bdafb4d0de7a826
                                                                    • Instruction ID: 777c78859a99403fc34ec7df68c1b097f9c958538925d8a3d47d5bfdbcee972d
                                                                    • Opcode Fuzzy Hash: 45a62da44e8cc9358703e43fd5a94f66e6f485653edfa5415bdafb4d0de7a826
                                                                    • Instruction Fuzzy Hash: F751B072A0021A9FDF019F64D888AF9B7B5FF05384F5145A9ED96C7210E732DA19CB80