Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lYWiDKe1In.exe

Overview

General Information

Sample name:lYWiDKe1In.exe
renamed because original name is a hash value
Original sample name:985584f5b7be5d605c1264624f4bd68e.exe
Analysis ID:1457173
MD5:985584f5b7be5d605c1264624f4bd68e
SHA1:8efbf3680021b3fb3b68094ee5296dcabb5abc1a
SHA256:5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd
Tags:32exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lYWiDKe1In.exe (PID: 3572 cmdline: "C:\Users\user\Desktop\lYWiDKe1In.exe" MD5: 985584F5B7BE5D605C1264624F4BD68E)
    • cmd.exe (PID: 1716 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\djiglggs\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6200 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe" C:\Windows\SysWOW64\djiglggs\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3636 cmdline: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5244 cmdline: "C:\Windows\System32\sc.exe" description djiglggs "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 3608 cmdline: "C:\Windows\System32\sc.exe" start djiglggs MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7124 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 3364 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1028 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • bvvnqaeq.exe (PID: 1772 cmdline: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d"C:\Users\user\Desktop\lYWiDKe1In.exe" MD5: DEA876A83A60426A2C1F32D0E6A77799)
    • svchost.exe (PID: 5532 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 3560 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 536 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3624 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 5352 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3572 -ip 3572 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4372 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1772 -ip 1772 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 4292 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: Tofsee

{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.lYWiDKe1In.exe.6e0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.lYWiDKe1In.exe.6e0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.3.bvvnqaeq.exe.5e0000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.3.bvvnqaeq.exe.5e0000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.2.lYWiDKe1In.exe.400000.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        Click to see the 39 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspect Svchost Activity
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d"C:\Users\user\Desktop\lYWiDKe1In.exe", ParentImage: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe, ParentProcessId: 1772, ParentProcessName: bvvnqaeq.exe, ProcessCommandLine: svchost.exe, ProcessId: 5532, ProcessName: svchost.exe
        Sigma detected: Suspicious New Service Creation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\lYWiDKe1In.exe", ParentImage: C:\Users\user\Desktop\lYWiDKe1In.exe, ParentProcessId: 3572, ParentProcessName: lYWiDKe1In.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 3636, ProcessName: sc.exe
        Sigma detected: Suspicious Outbound SMTP Connections
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.40.26, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 5532, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d"C:\Users\user\Desktop\lYWiDKe1In.exe", ParentImage: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe, ParentProcessId: 1772, ParentProcessName: bvvnqaeq.exe, ProcessCommandLine: svchost.exe, ProcessId: 5532, ProcessName: svchost.exe
        Sigma detected: Windows Defender Exclusions Added - Registry
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5532, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\djiglggs
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\lYWiDKe1In.exe", ParentImage: C:\Users\user\Desktop\lYWiDKe1In.exe, ParentProcessId: 3572, ParentProcessName: lYWiDKe1In.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 3636, ProcessName: sc.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3624, ProcessName: svchost.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: lYWiDKe1In.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\bvvnqaeq.exeAvira: detection malicious, Label: TR/Crypt.EPACK.Gen2
        Found malware configuration
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Multi AV Scanner detection for domain / URL
        Source: vanaheim.cnVirustotal: Detection: 14%Perma Link
        Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
        Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
        Multi AV Scanner detection for submitted file
        Source: lYWiDKe1In.exeVirustotal: Detection: 56%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\bvvnqaeq.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: lYWiDKe1In.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeUnpacked PE file: 0.2.lYWiDKe1In.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeUnpacked PE file: 12.2.bvvnqaeq.exe.400000.0.unpack
        Source: lYWiDKe1In.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Adds extensions / path to Windows Defender exclusion list (Registry)
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\djiglggsJump to behavior

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.184.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 62.76.228.127 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.40.26 52.101.40.26
        Source: Joe Sandbox ViewIP Address: 98.136.96.91 98.136.96.91
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: global trafficTCP traffic: 192.168.2.5:49706 -> 52.101.40.26:25
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 98.136.96.91:25
        Source: global trafficTCP traffic: 192.168.2.5:64298 -> 64.233.184.26:25
        Source: global trafficTCP traffic: 192.168.2.5:64300 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 64299 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64299
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64301
        Source: unknownNetwork traffic detected: HTTP traffic on port 64301 -> 443

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: lYWiDKe1In.exe PID: 3572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bvvnqaeq.exe PID: 1772, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.bvvnqaeq.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.bvvnqaeq.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.lYWiDKe1In.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.lYWiDKe1In.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2039090493.0000000000713000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2039369993.000000000047E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\djiglggs\Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CBC91317_2_02CBC913
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: String function: 006E27AB appears 35 times
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3572 -ip 3572
        Source: lYWiDKe1In.exe, 00000000.00000002.2038665427.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesasdf* vs lYWiDKe1In.exe
        Source: lYWiDKe1In.exe, 00000000.00000002.2039171400.0000000000728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesasdf* vs lYWiDKe1In.exe
        Source: lYWiDKe1In.exeBinary or memory string: OriginalFilenamesasdf* vs lYWiDKe1In.exe
        Source: lYWiDKe1In.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.bvvnqaeq.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.bvvnqaeq.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.lYWiDKe1In.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.lYWiDKe1In.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2039090493.0000000000713000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2039369993.000000000047E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@11/5
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00717BDE CreateToolhelp32Snapshot,Module32First,0_2_00717BDE
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CB9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_02CB9A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5352:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4372:64:WilError_03
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeFile created: C:\Users\user\AppData\Local\Temp\bvvnqaeq.exeJump to behavior
        Source: lYWiDKe1In.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: lYWiDKe1In.exeVirustotal: Detection: 56%
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeFile read: C:\Users\user\Desktop\lYWiDKe1In.exeJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14821
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-14990
        Source: unknownProcess created: C:\Users\user\Desktop\lYWiDKe1In.exe "C:\Users\user\Desktop\lYWiDKe1In.exe"
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\djiglggs\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe" C:\Windows\SysWOW64\djiglggs\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description djiglggs "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start djiglggs
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d"C:\Users\user\Desktop\lYWiDKe1In.exe"
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3572 -ip 3572
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1772 -ip 1772
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1028
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 536
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\djiglggs\Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe" C:\Windows\SysWOW64\djiglggs\Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description djiglggs "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start djiglggsJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3572 -ip 3572Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1772 -ip 1772Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1028Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 536Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: lYWiDKe1In.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeUnpacked PE file: 0.2.lYWiDKe1In.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeUnpacked PE file: 12.2.bvvnqaeq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeUnpacked PE file: 0.2.lYWiDKe1In.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeUnpacked PE file: 12.2.bvvnqaeq.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_0071AEC6 push 0000002Bh; iretd 0_2_0071AECC
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_00485C16 push 0000002Bh; iretd 12_2_00485C1C
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CC058F push esp; retf 17_2_02CC0592
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CC0548 push eax; retf 17_2_02CC054E
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CC055B push eax; retf 17_2_02CC055E

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeFile created: C:\Users\user\AppData\Local\Temp\bvvnqaeq.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\djiglggsJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\lywidke1in.exeJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,17_2_02CB199C
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15800
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-6538
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-15414
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_17-6241
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_17-7423
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15255
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15370
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15007
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15060
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_17-7520
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-6271
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14838
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15005
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeAPI coverage: 5.0 %
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeAPI coverage: 3.8 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 1864Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 1864Thread sleep time: -36000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000011.00000002.3242542410.0000000003000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~|
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeAPI call chain: ExitProcess graph end nodegraph_0-15267
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_17-6273

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16382
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_17-7766
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_006E092B mov eax, dword ptr fs:[00000030h]0_2_006E092B
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_006E0D90 mov eax, dword ptr fs:[00000030h]0_2_006E0D90
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_007174BB push dword ptr fs:[00000030h]0_2_007174BB
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_0048220B push dword ptr fs:[00000030h]12_2_0048220B
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_005C092B mov eax, dword ptr fs:[00000030h]12_2_005C092B
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_005C0D90 mov eax, dword ptr fs:[00000030h]12_2_005C0D90
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CB9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_02CB9A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.184.26 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 62.76.228.127 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.40.26 25Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2CB0000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CB0000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2CB0000Jump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2A1E008Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\djiglggs\Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe" C:\Windows\SysWOW64\djiglggs\Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description djiglggs "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start djiglggsJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3572 -ip 3572Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1772 -ip 1772Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1028Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 536Jump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: lYWiDKe1In.exe PID: 3572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bvvnqaeq.exe PID: 1772, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2cb0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5e0000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2cb0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5e0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.5c0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.bvvnqaeq.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.bvvnqaeq.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.lYWiDKe1In.exe.6e0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.lYWiDKe1In.exe.900000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: lYWiDKe1In.exe PID: 3572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: bvvnqaeq.exe PID: 1772, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5532, type: MEMORYSTR
        Source: C:\Users\user\Desktop\lYWiDKe1In.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02CB88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,17_2_02CB88B0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		41
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution        		14
        Windows Service        		1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service        		2
        Software Packing        		NTDS15
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets111
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion        		Cached Domain Credentials11
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457173 Sample: lYWiDKe1In.exe Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 7 other IPs or domains 2->57 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 8 bvvnqaeq.exe 2->8         started        11 lYWiDKe1In.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Found API chain indicative of debugger detection 8->85 91 3 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\bvvnqaeq.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta5.am0.yahoodns.net 98.136.96.91, 25 YAHOO-NE1US United States 18->59 61 microsoft-com.mail.protection.outlook.com 52.101.40.26, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\bvvnqaeq.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        lYWiDKe1In.exe57%VirustotalBrowse
        lYWiDKe1In.exe100%AviraHEUR/AGEN.1310445
        lYWiDKe1In.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe100%AviraTR/Crypt.EPACK.Gen2
        C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        mxs.mail.ru0%VirustotalBrowse
        mta5.am0.yahoodns.net0%VirustotalBrowse
        microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
        vanaheim.cn15%VirustotalBrowse
        mail.ru0%VirustotalBrowse
        smtp.google.com0%VirustotalBrowse
        google.com1%VirustotalBrowse
        yahoo.com1%VirustotalBrowse
        171.39.242.20.in-addr.arpa1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        jotunheim.name:44313%VirustotalBrowse
        jotunheim.name:4430%Avira URL Cloudsafe
        vanaheim.cn:4430%Avira URL Cloudsafe
        vanaheim.cn:4438%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        		217.69.139.150
        		truetrueunknown
        mta5.am0.yahoodns.net
        		98.136.96.91
        		truetrueunknown
        microsoft-com.mail.protection.outlook.com
        		52.101.40.26
        		truetrueunknown
        vanaheim.cn
        		62.76.228.127
        		truetrueunknown
        smtp.google.com
        		64.233.184.26
        		truefalseunknown
        google.com
        		unknown
        		unknowntrueunknown
        yahoo.com
        		unknown
        		unknowntrueunknown
        mail.ru
        		unknown
        		unknowntrueunknown
        171.39.242.20.in-addr.arpa
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        vanaheim.cn:443true
        • 8%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        jotunheim.name:443true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        52.101.40.26
        		microsoft-com.mail.protection.outlook.comUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
        64.233.184.26
        		smtp.google.comUnited States
        		15169GOOGLEUSfalse
        98.136.96.91
        		mta5.am0.yahoodns.netUnited States
        		36646YAHOO-NE1UStrue
        217.69.139.150
        		mxs.mail.ruRussian Federation
        		47764MAILRU-ASMailRuRUtrue
        62.76.228.127
        		vanaheim.cnRussian Federation
        		201211DRUGOYTEL-ASRUtrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1457173
        Start date and time:2024-06-14 11:19:05 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 3s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:24
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:lYWiDKe1In.exe
        renamed because original name is a hash value
        Original Sample Name:985584f5b7be5d605c1264624f4bd68e.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@32/3@11/5
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 61
        • Number of non-executed functions: 260
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.236.44.162, 20.76.201.171, 20.231.239.246, 20.70.246.20
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:20:39API Interceptor10x Sleep call for process: svchost.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        52.101.40.26DWoKcG581L.exeGet hashmaliciousTofseeBrowse
          Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
            L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
              file.exeGet hashmaliciousTofseeBrowse
                U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                  t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                    lhs31fcc2k0lmr.exeGet hashmaliciousTofseeBrowse
                      SecuriteInfo.com.Win32.TrojanX-gen.5284.17028.exeGet hashmaliciousTofseeBrowse
                        SecuriteInfo.com.Win32.TrojanX-gen.9178.5965.exeGet hashmaliciousTofseeBrowse
                          SecuriteInfo.com.Win32.BotX-gen.15544.10747.exeGet hashmaliciousTofseeBrowse
                            98.136.96.91rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                              newtpp.exeGet hashmaliciousPhorpiexBrowse
                                gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                  file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                    .exeGet hashmaliciousUnknownBrowse
                                      l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                        message.txt.exeGet hashmaliciousUnknownBrowse
                                          test.dat.exeGet hashmaliciousUnknownBrowse
                                            Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                              Update-KB5058-x86.exeGet hashmaliciousUnknownBrowse
                                                217.69.139.150dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                  rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                      G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                        x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                          x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                            EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                                              OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                                                0bv3c9AqYs.exeGet hashmaliciousPushdoBrowse
                                                                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    mta5.am0.yahoodns.netI7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.204.73
                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.228.110
                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 98.136.96.74
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 98.136.96.77
                                                                    newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 67.195.204.77
                                                                    file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                    • 67.195.228.110
                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                    • 67.195.228.109
                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                    • 67.195.228.111
                                                                    l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 98.136.96.75
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 67.195.228.111
                                                                    vanaheim.cndIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                    • 141.8.199.94
                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                    • 141.8.199.94
                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 109.107.161.150
                                                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                    • 85.208.208.90
                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                    • 77.232.138.239
                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                    • 5.188.88.112
                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                    • 5.188.88.112
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 5.188.88.112
                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                    • 194.169.163.56
                                                                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                    • 194.169.163.56
                                                                    microsoft-com.mail.protection.outlook.comdIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.54.36
                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                    • 52.101.11.0
                                                                    sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                                                    • 52.101.11.0
                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                    • 104.47.53.36
                                                                    mxs.mail.rudIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                    • 94.100.180.31
                                                                    G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                    • 217.69.139.150
                                                                    x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                    • 217.69.139.150
                                                                    gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                    • 94.100.180.31
                                                                    PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                                    • 217.69.139.150
                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                    • 217.69.139.150
                                                                    rLDmqbpt5D.exeGet hashmaliciousPushdo, DanaBot, RedLine, SmokeLoaderBrowse
                                                                    • 94.100.180.31

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    DRUGOYTEL-ASRUhttp://students.humanconnections.com.au/Y0X.swf?8o542c!cbbbbxm0wqr!c!jtn1s!f40w2!dg!dbk!ck!hrx1b!5hb4!cbbcq4Get hashmaliciousUnknownBrowse
                                                                    • 62.76.228.2
                                                                    RSVAU8h96hGet hashmaliciousMiraiBrowse
                                                                    • 185.73.18.199
                                                                    LRLZJUXBPkGet hashmaliciousMiraiBrowse
                                                                    • 185.73.18.116
                                                                    MAILRU-ASMailRuRUhttps://cs13786.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                    • 217.69.129.214
                                                                    http://cf20871.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                    • 5.61.23.11
                                                                    x64.nn.elfGet hashmaliciousMiraiBrowse
                                                                    • 128.140.169.91
                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    uUyFtCTKDd.elfGet hashmaliciousMiraiBrowse
                                                                    • 94.100.184.243
                                                                    https://www.ixxin.cn/go.html?url=https://ok.me/b5SG1?M6bxrJ9vlWS?MtRgHryntBJGet hashmaliciousGRQ ScamBrowse
                                                                    • 217.20.155.6
                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                    • 217.69.139.150
                                                                    c40snYcuW6.elfGet hashmaliciousMiraiBrowse
                                                                    • 5.61.23.80
                                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                                    • 217.69.134.17
                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                                    • 20.199.87.174
                                                                    ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                                    • 20.199.87.174
                                                                    YoutubePlaylistDownloader.exeGet hashmaliciousUnknownBrowse
                                                                    • 52.168.117.169
                                                                    Report.emlGet hashmaliciousUnknownBrowse
                                                                    • 52.113.195.132
                                                                    Rolls-Royce WorkRequest.xlsGet hashmaliciousUnknownBrowse
                                                                    • 52.113.195.132
                                                                    #U0625#U064a#U0635#U0627#U0644 #U0627#U0644#U062f#U0641#U0639.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 13.107.139.11
                                                                    t5SYVk0Tkt.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                    • 20.23.140.143
                                                                    UDxMi3I3lO.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                    • 20.23.140.143
                                                                    https://atpscan.global.hornetsecurity.com/index.php?atp_str=8B8Q674nKweUpOPaXKM6VOMa9rVmT9F88gJKf7UnPIk7lVcTg1Q-V4IPa1qZ6xDW_Np8A6rXdvweyDFb4X_duRJq__NRXl8C6nr4Fp6_6jXTKY8i-eq9zaGF1nRMS5Naow-X8iPhCaW7gWnz15HywoXkRlBcF-HA5u9xlgwyXxJSOjg--X44rz6dyWRvR2kCcFbMVsikMsdWQtd8ernHlT8lEInagAkd6hInpq8HnR6qVnxsrq7Rp44guKAEXU6p35hzk1o7dqF0S746O9GWjNgbNSAsbClpjLwncPp2G24UeXuZxJpZDdiZxjV9eCg9jbcVC3za2iUP-qdmWbyOqIbtGcKK-4aGuNt5n-Ty9INr0JazCx6mCM_Aqb3V9vOzIhqqb3prxifizllceSNEbCM6OiMEWF8fLffrzjsUM-YjOjojHP7D4cEHhs3d2aEM0AucrgGet hashmaliciousHTMLPhisherBrowse
                                                                    • 40.99.150.98
                                                                    https://code.jquery.com/jquery-3.6.0.min.jsGet hashmaliciousUnknownBrowse
                                                                    • 52.109.76.240
                                                                    YAHOO-NE1USrpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                    • 98.136.96.91
                                                                    V#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                                                    • 74.6.231.20
                                                                    vylI38MZOn.elfGet hashmaliciousMiraiBrowse
                                                                    • 98.137.87.64
                                                                    https://www.canva.com/design/DAGDiia04Xg/_SQxN5BXpIl2RgDD44fATw/edit?utm_content=DAGDiia04Xg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                    • 98.137.155.8
                                                                    P5uKPY120j.elfGet hashmaliciousMiraiBrowse
                                                                    • 216.252.107.75
                                                                    806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                                                                    • 98.137.155.8
                                                                    https://xsetlp3sattty7yhmls.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.231.20
                                                                    https://ioa.pages.dev/account/js-reporting/?crumb=uZ4.07kERLI&message=javascript_not_enabled&ref=%2Faccount%2Fchallenge%2FpasswordIP:Get hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.231.18
                                                                    https://trhj.pages.dev/IP:Get hashmaliciousHTMLPhisherBrowse
                                                                    • 74.6.231.18
                                                                    K7HXpfSHdt.elfGet hashmaliciousMirai, MoobotBrowse
                                                                    • 98.138.128.222

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\lYWiDKe1In.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11102720
                                                                    Entropy (8bit):4.833656385413997
                                                                    Encrypted:false
                                                                    SSDEEP:196608:KaBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3:zBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBh
                                                                    MD5:DEA876A83A60426A2C1F32D0E6A77799
                                                                    SHA1:7CCAD1033B2948D9EBFE026E9C18F75D07835F5F
                                                                    SHA-256:0A75853AAB700610742D00E95AF8BC9B5BAF166535466B2757D01753A9BD6416
                                                                    SHA-512:ABAE7FCFF1AF67BB60C582E28857236AE845DAE49735D855F138AD481BD3326294E2CE1A2930EA1DE77C30242922A7DC910360B8173A446AEB1F4D165A65CD05
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..p...#...#...#u.|#...#u.I#...#u.}#R..#..D#...#...#C..#u.x#...#u.M#...#u.J#...#Rich...#........PE..L...`..c.................r.........../............@.................................1].........................................(.... ...u..........................................................`...@...............L............................text...`q.......r.................. ..`.rdata..\%.......&...v..............@..@.data....W.......v..................@....rsrc....u... ...X..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe (copy)

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11102720
                                                                    Entropy (8bit):4.833656385413997
                                                                    Encrypted:false
                                                                    SSDEEP:196608:KaBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB3:zBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBh
                                                                    MD5:DEA876A83A60426A2C1F32D0E6A77799
                                                                    SHA1:7CCAD1033B2948D9EBFE026E9C18F75D07835F5F
                                                                    SHA-256:0A75853AAB700610742D00E95AF8BC9B5BAF166535466B2757D01753A9BD6416
                                                                    SHA-512:ABAE7FCFF1AF67BB60C582E28857236AE845DAE49735D855F138AD481BD3326294E2CE1A2930EA1DE77C30242922A7DC910360B8173A446AEB1F4D165A65CD05
                                                                    Malicious:true
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..p...#...#...#u.|#...#u.I#...#u.}#R..#..D#...#...#C..#u.x#...#u.M#...#u.J#...#Rich...#........PE..L...`..c.................r.........../............@.................................1].........................................(.... ...u..........................................................`...@...............L............................text...`q.......r.................. ..`.rdata..\%.......&...v..............@..@.data....W.......v..................@....rsrc....u... ...X..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                    \Device\ConDrv

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3773
                                                                    Entropy (8bit):4.7109073551842435
                                                                    Encrypted:false
                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                    Malicious:false
                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):6.248033329266071
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:lYWiDKe1In.exe
                                                                    File size:296'960 bytes
                                                                    MD5:985584f5b7be5d605c1264624f4bd68e
                                                                    SHA1:8efbf3680021b3fb3b68094ee5296dcabb5abc1a
                                                                    SHA256:5496d968b378eef69af5eb89159bc728b8ad9e395e42c74f788a4b7a8ec8a7bd
                                                                    SHA512:e6c582d168f066c031161b8b098114edd95f5fde5c70eb1e8150fb44fd3520a4be7e9e71195c3c58078d7b9802e053ffa3e452a87965eb9e6a0ac580ccd8e34b
                                                                    SSDEEP:3072:NNnq5gpiR+cS7kBapQOm47e6rGyQqKCHRsJFULJtkSUyHbmcnTVaz42JVOrTKYj:rq5gN70xee6treFD7y7mcnTVaBJVOrT
                                                                    TLSH:ED54391392DCBC40EC2387399F1E96EC7F1EB8529E19671622086E1FE471AB1F593718
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..p...#...#...#u.|#...#u.I#...#u.}#R..#..D#...#...#C..#u.x#...#u.M#...#u.J#...#Rich...#........PE..L...`..c.................r.

                                                                    File Icon

                                                                    Icon Hash:53294d456555510d

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x402f14
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x63EEF760 [Fri Feb 17 03:41:20 2023 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:21bb6d66b5d6d28ae8c3bacf2985bb75

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007FB6F0D0F17Ah
                                                                    jmp 00007FB6F0D0CD5Eh
                                                                    mov edi, edi
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    mov eax, dword ptr [ebp+08h]
                                                                    xor ecx, ecx
                                                                    cmp eax, dword ptr [0040C008h+ecx*8]
                                                                    je 00007FB6F0D0CEE5h
                                                                    inc ecx
                                                                    cmp ecx, 2Dh
                                                                    jc 00007FB6F0D0CEC3h
                                                                    lea ecx, dword ptr [eax-13h]
                                                                    cmp ecx, 11h
                                                                    jnbe 00007FB6F0D0CEE0h
                                                                    push 0000000Dh
                                                                    pop eax
                                                                    pop ebp
                                                                    ret
                                                                    mov eax, dword ptr [0040C00Ch+ecx*8]
                                                                    pop ebp
                                                                    ret
                                                                    add eax, FFFFFF44h
                                                                    push 0000000Eh
                                                                    pop ecx
                                                                    cmp ecx, eax
                                                                    sbb eax, eax
                                                                    and eax, ecx
                                                                    add eax, 08h
                                                                    pop ebp
                                                                    ret
                                                                    call 00007FB6F0D0E2C6h
                                                                    test eax, eax
                                                                    jne 00007FB6F0D0CED8h
                                                                    mov eax, 0040C170h
                                                                    ret
                                                                    add eax, 08h
                                                                    ret
                                                                    call 00007FB6F0D0E2B3h
                                                                    test eax, eax
                                                                    jne 00007FB6F0D0CED8h
                                                                    mov eax, 0040C174h
                                                                    ret
                                                                    add eax, 0Ch
                                                                    ret
                                                                    mov edi, edi
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    call 00007FB6F0D0CEB7h
                                                                    mov ecx, dword ptr [ebp+08h]
                                                                    push ecx
                                                                    mov dword ptr [eax], ecx
                                                                    call 00007FB6F0D0CE57h
                                                                    pop ecx
                                                                    mov esi, eax
                                                                    call 00007FB6F0D0CE91h
                                                                    mov dword ptr [eax], esi
                                                                    pop esi
                                                                    pop ebp
                                                                    ret
                                                                    push 00000000h
                                                                    push 00001000h
                                                                    push 00000000h
                                                                    call dword ptr [00409088h]
                                                                    xor ecx, ecx
                                                                    test eax, eax
                                                                    setne cl
                                                                    mov dword ptr [00423530h], eax
                                                                    mov eax, ecx
                                                                    ret
                                                                    mov edi, edi
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    mov eax, 00001AE4h
                                                                    call 00007FB6F0D0F62Fh
                                                                    mov eax, dword ptr [0040C570h]

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [C++] VS2010 build 30319
                                                                    • [ASM] VS2010 build 30319
                                                                    • [ C ] VS2010 build 30319
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [RES] VS2010 build 30319
                                                                    • [LNK] VS2010 build 30319

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xadd40x28.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x27598.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xadfc0x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xaa600x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x90000x14c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x71600x72003de7dc72e13d0ee770d19a01f0691356False0.6467927631578947data6.656480119984569IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x90000x255c0x2600ccb0be395dd31b91bb77980b7c869ffbFalse0.34405838815789475data4.720629897356499IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xc0000x257ac0x17600197638676936b42882dd165ea9cfd941False0.8875752005347594data7.585266498834436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x320000x275980x27600a83116d9e8f4d8f08b8fba5dbd3867caFalse0.3700768849206349data4.786838083849537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_CURSOR0x51f500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                    RT_CURSOR0x52df80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                    RT_CURSOR0x536a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                    RT_CURSOR0x53c380x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                    RT_CURSOR0x53d680xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                    RT_CURSOR0x53e400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                    RT_CURSOR0x54ce80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                    RT_CURSOR0x555900x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                    RT_CURSOR0x55b280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                    RT_CURSOR0x569d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                    RT_CURSOR0x572780x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                    RT_ICON0x32cd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsJapaneseJapan0.47574626865671643
                                                                    RT_ICON0x33b780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsJapaneseJapan0.5911552346570397
                                                                    RT_ICON0x344200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsJapaneseJapan0.652073732718894
                                                                    RT_ICON0x34ae80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsJapaneseJapan0.6828034682080925
                                                                    RT_ICON0x350500x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216JapaneseJapan0.3746887966804979
                                                                    RT_ICON0x375f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096JapaneseJapan0.4772514071294559
                                                                    RT_ICON0x386a00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304JapaneseJapan0.5545081967213115
                                                                    RT_ICON0x390280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024JapaneseJapan0.6320921985815603
                                                                    RT_ICON0x395080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.4182027649769585
                                                                    RT_ICON0x39bd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.16400414937759336
                                                                    RT_ICON0x3c1780x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.21365248226950354
                                                                    RT_ICON0x3c6100x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.4182027649769585
                                                                    RT_ICON0x3ccd80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.16400414937759336
                                                                    RT_ICON0x3f2800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.21365248226950354
                                                                    RT_ICON0x3f7180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.3675373134328358
                                                                    RT_ICON0x405c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.453971119133574
                                                                    RT_ICON0x40e680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.4596774193548387
                                                                    RT_ICON0x415300x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.4486994219653179
                                                                    RT_ICON0x41a980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.26680497925311203
                                                                    RT_ICON0x440400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.3074577861163227
                                                                    RT_ICON0x450e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.3608156028368794
                                                                    RT_ICON0x455b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.5652985074626866
                                                                    RT_ICON0x464600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.549187725631769
                                                                    RT_ICON0x46d080x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.6192196531791907
                                                                    RT_ICON0x472700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.46255186721991703
                                                                    RT_ICON0x498180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.48827392120075047
                                                                    RT_ICON0x4a8c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0JapaneseJapan0.49098360655737705
                                                                    RT_ICON0x4b2480x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.4521276595744681
                                                                    RT_ICON0x4b7180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.4163113006396588
                                                                    RT_ICON0x4c5c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.5112815884476535
                                                                    RT_ICON0x4ce680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.6036866359447005
                                                                    RT_ICON0x4d5300x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.5447976878612717
                                                                    RT_ICON0x4da980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.4386929460580913
                                                                    RT_ICON0x500400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.4580206378986867
                                                                    RT_ICON0x510e80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0JapaneseJapan0.4680327868852459
                                                                    RT_ICON0x51a700x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.5150709219858156
                                                                    RT_STRING0x57a800x3f2dataJapaneseJapan0.46633663366336636
                                                                    RT_STRING0x57e780x64edataJapaneseJapan0.4306071871127633
                                                                    RT_STRING0x584c80x28edataJapaneseJapan0.4908256880733945
                                                                    RT_STRING0x587580x18edataJapaneseJapan0.5100502512562815
                                                                    RT_STRING0x588e80x2d2dataJapaneseJapan0.4626038781163435
                                                                    RT_STRING0x58bc00x6fadataJapaneseJapan0.4227323628219485
                                                                    RT_STRING0x592c00x2d2dataJapaneseJapan0.4695290858725762
                                                                    RT_GROUP_CURSOR0x53c080x30data0.9375
                                                                    RT_GROUP_CURSOR0x53e180x22data1.0588235294117647
                                                                    RT_GROUP_CURSOR0x55af80x30data0.9375
                                                                    RT_GROUP_CURSOR0x577e00x30data0.9375
                                                                    RT_GROUP_ICON0x4b6b00x68dataJapaneseJapan0.7211538461538461
                                                                    RT_GROUP_ICON0x3c5e00x30dataJapaneseJapan1.0
                                                                    RT_GROUP_ICON0x394900x76dataJapaneseJapan0.6610169491525424
                                                                    RT_GROUP_ICON0x455500x68dataJapaneseJapan0.7115384615384616
                                                                    RT_GROUP_ICON0x3f6e80x30dataJapaneseJapan1.0
                                                                    RT_GROUP_ICON0x51ed80x76dataJapaneseJapan0.6779661016949152
                                                                    RT_VERSION0x578100x270data0.5080128205128205

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllPeekNamedPipe, TlsGetValue, LoadLibraryExW, InterlockedCompareExchange, SetComputerNameW, GetTickCount, GetUserDefaultLangID, GlobalAlloc, LoadLibraryW, lstrcatA, GetACP, IsBadStringPtrA, GetLastError, SetLastError, GetProcAddress, SetComputerNameA, GetDiskFreeSpaceW, LoadLibraryA, SetConsoleCtrlHandler, FoldStringW, GetModuleFileNameA, FindFirstVolumeMountPointA, BuildCommDCBA, OutputDebugStringA, TerminateJobObject, GetWindowsDirectoryW, WriteProcessMemory, HeapFree, EncodePointer, DecodePointer, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, HeapCreate, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, HeapSize, GetModuleHandleW, ExitProcess, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapAlloc, SetUnhandledExceptionFilter, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, WriteConsoleW, MultiByteToWideChar, SetFilePointer, SetStdHandle, RtlUnwind, GetCPInfo, GetOEMCP, IsValidCodePage, CreateFileW, CloseHandle, GetStringTypeW, LCMapStringW, IsProcessorFeaturePresent

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    JapaneseJapan

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 14, 2024 11:19:57.300287008 CEST4970625192.168.2.552.101.40.26
                                                                    Jun 14, 2024 11:19:58.301883936 CEST4970625192.168.2.552.101.40.26
                                                                    Jun 14, 2024 11:20:00.232022047 CEST49707443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:20:00.232121944 CEST4434970762.76.228.127192.168.2.5
                                                                    Jun 14, 2024 11:20:00.232233047 CEST49707443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:20:00.301918030 CEST4970625192.168.2.552.101.40.26
                                                                    Jun 14, 2024 11:20:04.302027941 CEST4970625192.168.2.552.101.40.26
                                                                    Jun 14, 2024 11:20:12.301871061 CEST4970625192.168.2.552.101.40.26
                                                                    Jun 14, 2024 11:20:17.319574118 CEST4971425192.168.2.598.136.96.91
                                                                    Jun 14, 2024 11:20:18.333168983 CEST4971425192.168.2.598.136.96.91
                                                                    Jun 14, 2024 11:20:20.333355904 CEST4971425192.168.2.598.136.96.91
                                                                    Jun 14, 2024 11:20:24.348865032 CEST4971425192.168.2.598.136.96.91
                                                                    Jun 14, 2024 11:20:32.364329100 CEST4971425192.168.2.598.136.96.91
                                                                    Jun 14, 2024 11:20:37.337373972 CEST6429825192.168.2.564.233.184.26
                                                                    Jun 14, 2024 11:20:38.348701000 CEST6429825192.168.2.564.233.184.26
                                                                    Jun 14, 2024 11:20:40.223820925 CEST49707443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:20:40.224026918 CEST4434970762.76.228.127192.168.2.5
                                                                    Jun 14, 2024 11:20:40.224092960 CEST49707443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:20:40.344501019 CEST64299443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:20:40.344532013 CEST4436429962.76.228.127192.168.2.5
                                                                    Jun 14, 2024 11:20:40.344619036 CEST64299443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:20:40.348694086 CEST6429825192.168.2.564.233.184.26
                                                                    Jun 14, 2024 11:20:44.348665953 CEST6429825192.168.2.564.233.184.26
                                                                    Jun 14, 2024 11:20:52.348782063 CEST6429825192.168.2.564.233.184.26
                                                                    Jun 14, 2024 11:20:57.367269993 CEST6430025192.168.2.5217.69.139.150
                                                                    Jun 14, 2024 11:20:58.379986048 CEST6430025192.168.2.5217.69.139.150
                                                                    Jun 14, 2024 11:21:00.379911900 CEST6430025192.168.2.5217.69.139.150
                                                                    Jun 14, 2024 11:21:04.380215883 CEST6430025192.168.2.5217.69.139.150
                                                                    Jun 14, 2024 11:21:12.395672083 CEST6430025192.168.2.5217.69.139.150
                                                                    Jun 14, 2024 11:21:20.333808899 CEST64299443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:21:20.333946943 CEST4436429962.76.228.127192.168.2.5
                                                                    Jun 14, 2024 11:21:20.334145069 CEST64299443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:21:20.443283081 CEST64301443192.168.2.562.76.228.127
                                                                    Jun 14, 2024 11:21:20.443377018 CEST4436430162.76.228.127192.168.2.5
                                                                    Jun 14, 2024 11:21:20.443484068 CEST64301443192.168.2.562.76.228.127

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 14, 2024 11:19:57.038203001 CEST5004653192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:19:57.299690962 CEST53500461.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:00.025577068 CEST5541453192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:00.229147911 CEST53554141.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:17.302576065 CEST6126253192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:17.310014009 CEST53612621.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:17.310559988 CEST5213753192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:17.318939924 CEST53521371.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:26.075371027 CEST5351589162.159.36.2192.168.2.5
                                                                    Jun 14, 2024 11:20:26.683720112 CEST5634153192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:26.712798119 CEST53563411.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:37.318026066 CEST5401053192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:37.328125954 CEST53540101.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:37.329055071 CEST4915853192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:37.336936951 CEST53491581.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:40.333730936 CEST6179353192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:40.342572927 CEST53617931.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:57.349203110 CEST5770553192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:57.357225895 CEST53577051.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:20:57.357790947 CEST6011653192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:20:57.366835117 CEST53601161.1.1.1192.168.2.5
                                                                    Jun 14, 2024 11:21:56.953308105 CEST6172653192.168.2.51.1.1.1
                                                                    Jun 14, 2024 11:21:56.983558893 CEST53617261.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jun 14, 2024 11:19:57.038203001 CEST192.168.2.51.1.1.10xebeeStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:00.025577068 CEST192.168.2.51.1.1.10x146cStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.302576065 CEST192.168.2.51.1.1.10x98a0Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.310559988 CEST192.168.2.51.1.1.10x8547Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:26.683720112 CEST192.168.2.51.1.1.10xe221Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.318026066 CEST192.168.2.51.1.1.10xeb6fStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.329055071 CEST192.168.2.51.1.1.10xb687Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:40.333730936 CEST192.168.2.51.1.1.10x70e8Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:57.349203110 CEST192.168.2.51.1.1.10xa2f0Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:57.357790947 CEST192.168.2.51.1.1.10xc492Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:21:56.953308105 CEST192.168.2.51.1.1.10x94b3Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jun 14, 2024 11:19:57.299690962 CEST1.1.1.1192.168.2.50xebeeNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:19:57.299690962 CEST1.1.1.1192.168.2.50xebeeNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:19:57.299690962 CEST1.1.1.1192.168.2.50xebeeNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:19:57.299690962 CEST1.1.1.1192.168.2.50xebeeNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:00.229147911 CEST1.1.1.1192.168.2.50x146cNo error (0)vanaheim.cn62.76.228.127A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.310014009 CEST1.1.1.1192.168.2.50x98a0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.310014009 CEST1.1.1.1192.168.2.50x98a0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.310014009 CEST1.1.1.1192.168.2.50x98a0No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:17.318939924 CEST1.1.1.1192.168.2.50x8547No error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:26.712798119 CEST1.1.1.1192.168.2.50xe221Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.328125954 CEST1.1.1.1192.168.2.50xeb6fNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.336936951 CEST1.1.1.1192.168.2.50xb687No error (0)smtp.google.com64.233.184.26A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.336936951 CEST1.1.1.1192.168.2.50xb687No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.336936951 CEST1.1.1.1192.168.2.50xb687No error (0)smtp.google.com64.233.184.27A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.336936951 CEST1.1.1.1192.168.2.50xb687No error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:37.336936951 CEST1.1.1.1192.168.2.50xb687No error (0)smtp.google.com142.251.173.27A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:40.342572927 CEST1.1.1.1192.168.2.50x70e8No error (0)vanaheim.cn62.76.228.127A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:57.357225895 CEST1.1.1.1192.168.2.50xa2f0No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:57.366835117 CEST1.1.1.1192.168.2.50xc492No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:20:57.366835117 CEST1.1.1.1192.168.2.50xc492No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:21:56.983558893 CEST1.1.1.1192.168.2.50x94b3No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                    Jun 14, 2024 11:21:56.983558893 CEST1.1.1.1192.168.2.50x94b3No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:05:19:49
                                                                    Start date:14/06/2024
                                                                    Path:C:\Users\user\Desktop\lYWiDKe1In.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\lYWiDKe1In.exe"
                                                                    Imagebase:0x400000
                                                                    File size:296'960 bytes
                                                                    MD5 hash:985584F5B7BE5D605C1264624F4BD68E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1993040639.0000000000900000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2039090493.0000000000713000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:05:19:50
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\djiglggs\
                                                                    Imagebase:0x790000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:05:19:50
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:05:19:51
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\bvvnqaeq.exe" C:\Windows\SysWOW64\djiglggs\
                                                                    Imagebase:0x790000
                                                                    File size:236'544 bytes
                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:05:19:51
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:05:19:52
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" create djiglggs binPath= "C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d\"C:\Users\user\Desktop\lYWiDKe1In.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                    Imagebase:0xc90000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:05:19:52
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:05:19:52
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" description djiglggs "wifi internet conection"
                                                                    Imagebase:0xc90000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:05:19:52
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:05:19:53
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\sc.exe" start djiglggs
                                                                    Imagebase:0xc90000
                                                                    File size:61'440 bytes
                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:05:19:53
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:05:19:53
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe /d"C:\Users\user\Desktop\lYWiDKe1In.exe"
                                                                    Imagebase:0x400000
                                                                    File size:11'102'720 bytes
                                                                    MD5 hash:DEA876A83A60426A2C1F32D0E6A77799
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2035375237.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2039369993.000000000047E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2039462010.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:05:19:53
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                    Imagebase:0x1080000
                                                                    File size:82'432 bytes
                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:05:19:53
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                    Imagebase:0x7ff7e52b0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:05:19:54
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:16
                                                                    Start time:05:19:54
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3572 -ip 3572
                                                                    Imagebase:0x260000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:17
                                                                    Start time:05:19:54
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:svchost.exe
                                                                    Imagebase:0x860000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:18
                                                                    Start time:05:19:54
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1772 -ip 1772
                                                                    Imagebase:0x260000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:05:19:54
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1028
                                                                    Imagebase:0x260000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:05:19:55
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 536
                                                                    Imagebase:0x260000
                                                                    File size:483'680 bytes
                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:22
                                                                    Start time:05:20:37
                                                                    Start date:14/06/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                    Imagebase:0x7ff7e52b0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3.6%
                                                                      Dynamic/Decrypted Code Coverage:2.1%
                                                                      Signature Coverage:25.4%
                                                                      Total number of Nodes:1558
                                                                      Total number of Limit Nodes:26
                                                                      execution_graph 14806 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14924 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14806->14924 14808 409a95 14809 409aa3 GetModuleHandleA GetModuleFileNameA 14808->14809 14814 40a3c7 14808->14814 14823 409ac4 14809->14823 14810 40a41c CreateThread WSAStartup 15092 40e52e 14810->15092 15970 40405e CreateEventA 14810->15970 14812 409afd GetCommandLineA 14821 409b22 14812->14821 14813 40a406 DeleteFileA 14813->14814 14815 40a40d 14813->14815 14814->14810 14814->14813 14814->14815 14818 40a3ed GetLastError 14814->14818 14815->14810 14816 40a445 15111 40eaaf 14816->15111 14818->14815 14819 40a3f8 Sleep 14818->14819 14819->14813 14820 40a44d 15115 401d96 14820->15115 14826 409c0c 14821->14826 14833 409b47 14821->14833 14823->14812 14824 40a457 15163 4080c9 14824->15163 14925 4096aa 14826->14925 14837 409b96 lstrlenA 14833->14837 14842 409b58 14833->14842 14834 40a1d2 14843 40a1e3 GetCommandLineA 14834->14843 14835 409c39 14838 40a167 GetModuleHandleA GetModuleFileNameA 14835->14838 14931 404280 CreateEventA 14835->14931 14837->14842 14840 409c05 ExitProcess 14838->14840 14841 40a189 14838->14841 14841->14840 14850 40a1b2 GetDriveTypeA 14841->14850 14842->14840 14848 40675c 21 API calls 14842->14848 14858 40a205 14843->14858 14851 409be3 14848->14851 14850->14840 14852 40a1c5 14850->14852 14851->14840 15029 406a60 CreateFileA 14851->15029 15073 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14852->15073 14872 40a285 lstrlenA 14858->14872 14881 40a239 14858->14881 14859 40a491 14860 40a49f GetTickCount 14859->14860 14862 40a4be Sleep 14859->14862 14869 40a4b7 GetTickCount 14859->14869 15209 40c913 14859->15209 14860->14859 14860->14862 14862->14859 14864 409ca0 GetTempPathA 14865 409e3e 14864->14865 14866 409cba 14864->14866 14871 409e6b GetEnvironmentVariableA 14865->14871 14902 409e04 14865->14902 14985 4099d2 lstrcpyA 14866->14985 14869->14862 14874 409e7d 14871->14874 14871->14902 14872->14881 14875 4099d2 16 API calls 14874->14875 14877 409e9d 14875->14877 14880 409eb0 lstrcpyA lstrlenA 14877->14880 14877->14902 14878 409d5f 15048 406cc9 14878->15048 14883 409ef4 14880->14883 15081 406ec3 14881->15081 14882 40a3c2 15085 4098f2 14882->15085 14887 406dc2 6 API calls 14883->14887 14890 409f03 14883->14890 14886 40a35f 14886->14882 14886->14886 14892 40a37b 14886->14892 14887->14890 14888 40a39d StartServiceCtrlDispatcherA 14888->14882 14891 409f32 RegOpenKeyExA 14890->14891 14893 409f48 RegSetValueExA RegCloseKey 14891->14893 14897 409f70 14891->14897 14892->14888 14893->14897 14894 409cf6 14992 409326 14894->14992 14904 409f9d GetModuleHandleA GetModuleFileNameA 14897->14904 14898 409e0c DeleteFileA 14898->14865 14899 409dde GetFileAttributesExA 14899->14898 14900 409df7 14899->14900 14900->14902 14903 409dff 14900->14903 15068 40ec2e 14902->15068 15058 4096ff 14903->15058 14906 409fc2 14904->14906 14907 40a093 14904->14907 14906->14907 14913 409ff1 GetDriveTypeA 14906->14913 14908 40a103 CreateProcessA 14907->14908 14909 40a0a4 wsprintfA 14907->14909 14910 40a13a 14908->14910 14911 40a12a DeleteFileA 14908->14911 15064 402544 14909->15064 14910->14902 14917 4096ff 3 API calls 14910->14917 14911->14910 14913->14907 14915 40a00d 14913->14915 14919 40a02d lstrcatA 14915->14919 14917->14902 14920 40a046 14919->14920 14921 40a052 lstrcatA 14920->14921 14922 40a064 lstrcatA 14920->14922 14921->14922 14922->14907 14923 40a081 lstrcatA 14922->14923 14923->14907 14924->14808 14926 4096b9 14925->14926 15312 4073ff 14926->15312 14928 4096e2 14929 4096f7 14928->14929 15332 40704c 14928->15332 14929->14834 14929->14835 14932 4042a5 14931->14932 14933 40429d 14931->14933 15357 403ecd 14932->15357 14933->14838 14958 40675c 14933->14958 14935 4042b0 15361 404000 14935->15361 14938 4043c1 CloseHandle 14938->14933 14939 4042ce 15367 403f18 WriteFile 14939->15367 14944 4043ba CloseHandle 14944->14938 14945 404318 14946 403f18 4 API calls 14945->14946 14947 404331 14946->14947 14948 403f18 4 API calls 14947->14948 14949 40434a 14948->14949 15375 40ebcc GetProcessHeap RtlAllocateHeap 14949->15375 14952 403f18 4 API calls 14953 404389 14952->14953 14954 40ec2e codecvt 4 API calls 14953->14954 14955 40438f 14954->14955 14956 403f8c 4 API calls 14955->14956 14957 40439f CloseHandle CloseHandle 14956->14957 14957->14933 14959 406784 CreateFileA 14958->14959 14960 40677a SetFileAttributesA 14958->14960 14961 4067a4 CreateFileA 14959->14961 14962 4067b5 14959->14962 14960->14959 14961->14962 14963 4067c5 14962->14963 14964 4067ba SetFileAttributesA 14962->14964 14965 406977 14963->14965 14966 4067cf GetFileSize 14963->14966 14964->14963 14965->14838 14965->14864 14965->14865 14967 4067e5 14966->14967 14983 406922 14966->14983 14969 4067ed ReadFile 14967->14969 14967->14983 14968 40696e CloseHandle 14968->14965 14970 406811 SetFilePointer 14969->14970 14969->14983 14971 40682a ReadFile 14970->14971 14970->14983 14972 406848 SetFilePointer 14971->14972 14971->14983 14973 406867 14972->14973 14972->14983 14974 4068d5 14973->14974 14975 406878 ReadFile 14973->14975 14974->14968 14977 40ebcc 4 API calls 14974->14977 14976 4068d0 14975->14976 14978 406891 14975->14978 14976->14974 14979 4068f8 14977->14979 14978->14975 14978->14976 14980 406900 SetFilePointer 14979->14980 14979->14983 14981 40695a 14980->14981 14982 40690d ReadFile 14980->14982 14984 40ec2e codecvt 4 API calls 14981->14984 14982->14981 14982->14983 14983->14968 14984->14983 14986 4099eb 14985->14986 14987 409a2f lstrcatA 14986->14987 14988 40ee2a 14987->14988 14989 409a4b lstrcatA 14988->14989 14990 406a60 13 API calls 14989->14990 14991 409a60 14990->14991 14991->14865 14991->14894 15042 406dc2 14991->15042 15381 401910 14992->15381 14995 40934a GetModuleHandleA GetModuleFileNameA 14997 40937f 14995->14997 14998 4093a4 14997->14998 14999 4093d9 14997->14999 15000 4093c3 wsprintfA 14998->15000 15001 409401 wsprintfA 14999->15001 15002 409415 15000->15002 15001->15002 15004 406cc9 5 API calls 15002->15004 15025 4094a0 15002->15025 15011 409439 15004->15011 15005 4094ac 15006 40962f 15005->15006 15007 4094e8 RegOpenKeyExA 15005->15007 15012 409646 15006->15012 15411 401820 15006->15411 15009 409502 15007->15009 15010 4094fb 15007->15010 15014 40951f RegQueryValueExA 15009->15014 15010->15006 15016 40958a 15010->15016 15396 40ef1e lstrlenA 15011->15396 15027 4095d6 15012->15027 15391 4091eb 15012->15391 15017 409539 15014->15017 15024 409530 15014->15024 15016->15012 15020 409593 15016->15020 15021 409556 RegQueryValueExA 15017->15021 15018 40956e RegCloseKey 15018->15010 15019 409462 15022 40947e wsprintfA 15019->15022 15020->15027 15398 40f0e4 15020->15398 15021->15018 15021->15024 15022->15025 15024->15018 15383 406edd 15025->15383 15026 4095bb 15026->15027 15405 4018e0 15026->15405 15027->14898 15027->14899 15030 406b8c GetLastError 15029->15030 15031 406a8f GetDiskFreeSpaceA 15029->15031 15033 406b86 15030->15033 15032 406ac5 15031->15032 15041 406ad7 15031->15041 15459 40eb0e 15032->15459 15033->14840 15037 406b56 CloseHandle 15037->15033 15040 406b65 GetLastError CloseHandle 15037->15040 15038 406b36 GetLastError CloseHandle 15039 406b7f DeleteFileA 15038->15039 15039->15033 15040->15039 15453 406987 15041->15453 15043 406dd7 15042->15043 15047 406e24 15042->15047 15044 406cc9 5 API calls 15043->15044 15045 406ddc 15044->15045 15046 406e02 GetVolumeInformationA 15045->15046 15045->15047 15046->15047 15047->14878 15049 406cdc GetModuleHandleA GetProcAddress 15048->15049 15050 406dbe lstrcpyA lstrcatA lstrcatA 15048->15050 15051 406d12 GetSystemDirectoryA 15049->15051 15052 406cfd 15049->15052 15050->14894 15053 406d27 GetWindowsDirectoryA 15051->15053 15054 406d1e 15051->15054 15052->15051 15056 406d8b 15052->15056 15055 406d42 15053->15055 15054->15053 15054->15056 15057 40ef1e lstrlenA 15055->15057 15056->15050 15057->15056 15059 402544 15058->15059 15060 40972d RegOpenKeyExA 15059->15060 15061 409740 15060->15061 15062 409765 15060->15062 15063 40974f RegDeleteValueA RegCloseKey 15061->15063 15062->14902 15063->15062 15065 402554 lstrcatA 15064->15065 15066 40ee2a 15065->15066 15067 40a0ec lstrcatA 15066->15067 15067->14908 15069 40ec37 15068->15069 15070 40a15d 15068->15070 15467 40eba0 15069->15467 15070->14838 15070->14840 15074 402544 15073->15074 15075 40919e wsprintfA 15074->15075 15076 4091bb 15075->15076 15470 409064 GetTempPathA 15076->15470 15079 4091d5 ShellExecuteA 15080 4091e7 15079->15080 15080->14840 15082 406ecc 15081->15082 15084 406ed5 15081->15084 15083 406e36 2 API calls 15082->15083 15083->15084 15084->14886 15086 4098f6 15085->15086 15087 404280 30 API calls 15086->15087 15088 409904 Sleep 15086->15088 15089 409915 15086->15089 15087->15086 15088->15086 15088->15089 15091 409947 15089->15091 15477 40977c 15089->15477 15091->14814 15499 40dd05 GetTickCount 15092->15499 15094 40e538 15506 40dbcf 15094->15506 15096 40e544 15097 40e555 GetFileSize 15096->15097 15098 40e5b8 15096->15098 15099 40e5b1 CloseHandle 15097->15099 15100 40e566 15097->15100 15525 40e3ca RegOpenKeyExA 15098->15525 15099->15098 15516 40db2e 15100->15516 15103 40e576 ReadFile 15103->15099 15105 40e58d 15103->15105 15520 40e332 15105->15520 15108 40e5f2 15109 40e3ca 19 API calls 15108->15109 15110 40e629 15108->15110 15109->15110 15110->14816 15112 40eabe 15111->15112 15114 40eaba 15111->15114 15113 40dd05 6 API calls 15112->15113 15112->15114 15113->15114 15114->14820 15116 40ee2a 15115->15116 15117 401db4 GetVersionExA 15116->15117 15118 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15117->15118 15120 401e24 15118->15120 15121 401e16 GetCurrentProcess 15118->15121 15578 40e819 15120->15578 15121->15120 15123 401e3d 15124 40e819 11 API calls 15123->15124 15125 401e4e 15124->15125 15126 401e77 15125->15126 15585 40df70 15125->15585 15594 40ea84 15126->15594 15129 401e6c 15131 40df70 12 API calls 15129->15131 15131->15126 15132 40e819 11 API calls 15133 401e93 15132->15133 15598 40199c inet_addr LoadLibraryA 15133->15598 15136 40e819 11 API calls 15137 401eb9 15136->15137 15138 401ed8 15137->15138 15139 40f04e 4 API calls 15137->15139 15140 40e819 11 API calls 15138->15140 15141 401ec9 15139->15141 15142 401eee 15140->15142 15143 40ea84 30 API calls 15141->15143 15144 401f0a 15142->15144 15611 401b71 15142->15611 15143->15138 15146 40e819 11 API calls 15144->15146 15147 401f23 15146->15147 15155 401f3f 15147->15155 15615 401bdf 15147->15615 15148 401efd 15149 40ea84 30 API calls 15148->15149 15149->15144 15151 40e819 11 API calls 15153 401f5e 15151->15153 15156 40ea84 30 API calls 15153->15156 15158 401f77 15153->15158 15154 40ea84 30 API calls 15154->15155 15155->15151 15156->15158 15622 4030b5 15158->15622 15160 406ec3 2 API calls 15162 401f8e GetTickCount 15160->15162 15162->14824 15164 406ec3 2 API calls 15163->15164 15165 4080eb 15164->15165 15166 4080f9 15165->15166 15167 4080ef 15165->15167 15168 40704c 16 API calls 15166->15168 15670 407ee6 15167->15670 15171 408110 15168->15171 15170 408269 CreateThread 15188 405e6c 15170->15188 15999 40877e 15170->15999 15173 408156 RegOpenKeyExA 15171->15173 15174 4080f4 15171->15174 15172 40675c 21 API calls 15178 408244 15172->15178 15173->15174 15175 40816d RegQueryValueExA 15173->15175 15174->15170 15174->15172 15176 4081f7 15175->15176 15177 40818d 15175->15177 15179 40820d RegCloseKey 15176->15179 15181 40ec2e codecvt 4 API calls 15176->15181 15177->15176 15182 40ebcc 4 API calls 15177->15182 15178->15170 15180 40ec2e codecvt 4 API calls 15178->15180 15179->15174 15180->15170 15187 4081dd 15181->15187 15183 4081a0 15182->15183 15183->15179 15184 4081aa RegQueryValueExA 15183->15184 15184->15176 15185 4081c4 15184->15185 15186 40ebcc 4 API calls 15185->15186 15186->15187 15187->15179 15738 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15188->15738 15190 405e71 15739 40e654 15190->15739 15192 405ec1 15193 403132 15192->15193 15194 40df70 12 API calls 15193->15194 15195 40313b 15194->15195 15196 40c125 15195->15196 15750 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15196->15750 15198 40c12d 15199 40e654 13 API calls 15198->15199 15200 40c2bd 15199->15200 15201 40e654 13 API calls 15200->15201 15202 40c2c9 15201->15202 15203 40e654 13 API calls 15202->15203 15204 40a47a 15203->15204 15205 408db1 15204->15205 15206 408dbc 15205->15206 15207 40e654 13 API calls 15206->15207 15208 408dec Sleep 15207->15208 15208->14859 15210 40c92f 15209->15210 15211 40c93c 15210->15211 15751 40c517 15210->15751 15213 40e819 11 API calls 15211->15213 15245 40ca2b 15211->15245 15214 40c96a 15213->15214 15215 40e819 11 API calls 15214->15215 15216 40c97d 15215->15216 15217 40e819 11 API calls 15216->15217 15218 40c990 15217->15218 15219 40c9aa 15218->15219 15220 40ebcc 4 API calls 15218->15220 15219->15245 15768 402684 15219->15768 15220->15219 15225 40ca26 15775 40c8aa 15225->15775 15228 40ca44 15229 40ca4b closesocket 15228->15229 15230 40ca83 15228->15230 15229->15225 15231 40ea84 30 API calls 15230->15231 15232 40caac 15231->15232 15233 40f04e 4 API calls 15232->15233 15234 40cab2 15233->15234 15235 40ea84 30 API calls 15234->15235 15236 40caca 15235->15236 15237 40ea84 30 API calls 15236->15237 15238 40cad9 15237->15238 15783 40c65c 15238->15783 15241 40cb60 closesocket 15241->15245 15243 40dad2 closesocket 15244 40e318 23 API calls 15243->15244 15244->15245 15245->14859 15246 40df4c 20 API calls 15306 40cb70 15246->15306 15251 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15251->15306 15252 40e654 13 API calls 15252->15306 15255 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15255->15306 15259 40ea84 30 API calls 15259->15306 15260 40d569 closesocket Sleep 15830 40e318 15260->15830 15261 40d815 wsprintfA 15261->15306 15262 40cc1c GetTempPathA 15262->15306 15263 40c517 23 API calls 15263->15306 15265 407ead 6 API calls 15265->15306 15266 40e8a1 30 API calls 15266->15306 15267 40d582 ExitProcess 15268 40cfe3 GetSystemDirectoryA 15268->15306 15269 40cfad GetEnvironmentVariableA 15269->15306 15270 40675c 21 API calls 15270->15306 15271 40d027 GetSystemDirectoryA 15271->15306 15272 40d105 lstrcatA 15272->15306 15273 40ef1e lstrlenA 15273->15306 15274 40cc9f CreateFileA 15276 40ccc6 WriteFile 15274->15276 15274->15306 15275 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15275->15306 15278 40cdcc CloseHandle 15276->15278 15279 40cced CloseHandle 15276->15279 15277 40d15b CreateFileA 15280 40d182 WriteFile CloseHandle 15277->15280 15277->15306 15278->15306 15286 40cd2f 15279->15286 15280->15306 15281 40cd16 wsprintfA 15281->15286 15282 40d149 SetFileAttributesA 15282->15277 15283 40d36e GetEnvironmentVariableA 15283->15306 15284 40d1bf SetFileAttributesA 15284->15306 15285 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15285->15306 15286->15281 15812 407fcf 15286->15812 15287 40d22d GetEnvironmentVariableA 15287->15306 15288 40d3af lstrcatA 15290 40d3f2 CreateFileA 15288->15290 15288->15306 15293 40d415 WriteFile CloseHandle 15290->15293 15290->15306 15292 407fcf 64 API calls 15292->15306 15293->15306 15294 40cd81 WaitForSingleObject CloseHandle CloseHandle 15296 40f04e 4 API calls 15294->15296 15295 40cda5 15297 407ee6 64 API calls 15295->15297 15296->15295 15300 40cdbd DeleteFileA 15297->15300 15298 40d3e0 SetFileAttributesA 15298->15290 15299 40d26e lstrcatA 15303 40d2b1 CreateFileA 15299->15303 15299->15306 15300->15306 15301 40d4b1 CreateProcessA 15302 40d4e8 CloseHandle CloseHandle 15301->15302 15301->15306 15302->15306 15303->15306 15307 40d2d8 WriteFile CloseHandle 15303->15307 15304 407ee6 64 API calls 15304->15306 15305 40d452 SetFileAttributesA 15305->15306 15306->15243 15306->15246 15306->15251 15306->15252 15306->15255 15306->15259 15306->15260 15306->15261 15306->15262 15306->15263 15306->15265 15306->15266 15306->15268 15306->15269 15306->15270 15306->15271 15306->15272 15306->15273 15306->15274 15306->15275 15306->15277 15306->15282 15306->15283 15306->15284 15306->15285 15306->15287 15306->15288 15306->15290 15306->15292 15306->15298 15306->15299 15306->15301 15306->15303 15306->15304 15306->15305 15309 40d29f SetFileAttributesA 15306->15309 15311 40d31d SetFileAttributesA 15306->15311 15791 40c75d 15306->15791 15803 407e2f 15306->15803 15825 407ead 15306->15825 15835 4031d0 15306->15835 15852 403c09 15306->15852 15862 403a00 15306->15862 15866 40e7b4 15306->15866 15869 40c06c 15306->15869 15875 406f5f GetUserNameA 15306->15875 15886 40e854 15306->15886 15896 407dd6 15306->15896 15307->15306 15309->15303 15311->15306 15313 40741b 15312->15313 15314 406dc2 6 API calls 15313->15314 15315 40743f 15314->15315 15316 407469 RegOpenKeyExA 15315->15316 15318 4077f9 15316->15318 15328 407487 ___ascii_stricmp 15316->15328 15317 407703 RegEnumKeyA 15319 407714 RegCloseKey 15317->15319 15317->15328 15318->14928 15319->15318 15320 40f1a5 lstrlenA 15320->15328 15321 4074d2 RegOpenKeyExA 15321->15328 15322 40772c 15324 407742 RegCloseKey 15322->15324 15325 40774b 15322->15325 15323 407521 RegQueryValueExA 15323->15328 15324->15325 15326 4077ec RegCloseKey 15325->15326 15326->15318 15327 4076e4 RegCloseKey 15327->15328 15328->15317 15328->15320 15328->15321 15328->15322 15328->15323 15328->15327 15330 40777e GetFileAttributesExA 15328->15330 15331 407769 15328->15331 15329 4077e3 RegCloseKey 15329->15326 15330->15331 15331->15329 15333 407073 15332->15333 15334 4070b9 RegOpenKeyExA 15333->15334 15335 4070d0 15334->15335 15349 4071b8 15334->15349 15336 406dc2 6 API calls 15335->15336 15339 4070d5 15336->15339 15337 40719b RegEnumValueA 15338 4071af RegCloseKey 15337->15338 15337->15339 15338->15349 15339->15337 15341 4071d0 15339->15341 15355 40f1a5 lstrlenA 15339->15355 15342 407205 RegCloseKey 15341->15342 15343 407227 15341->15343 15342->15349 15344 4072b8 ___ascii_stricmp 15343->15344 15345 40728e RegCloseKey 15343->15345 15346 4072cd RegCloseKey 15344->15346 15347 4072dd 15344->15347 15345->15349 15346->15349 15348 407311 RegCloseKey 15347->15348 15351 407335 15347->15351 15348->15349 15349->14929 15350 4073d5 RegCloseKey 15352 4073e4 15350->15352 15351->15350 15353 40737e GetFileAttributesExA 15351->15353 15354 407397 15351->15354 15353->15354 15354->15350 15356 40f1c3 15355->15356 15356->15339 15358 403ee2 15357->15358 15359 403edc 15357->15359 15358->14935 15360 406dc2 6 API calls 15359->15360 15360->15358 15362 40400b CreateFileA 15361->15362 15363 40402c GetLastError 15362->15363 15364 404052 15362->15364 15363->15364 15365 404037 15363->15365 15364->14933 15364->14938 15364->14939 15365->15364 15366 404041 Sleep 15365->15366 15366->15362 15366->15364 15368 403f4e GetLastError 15367->15368 15370 403f7c 15367->15370 15369 403f5b WaitForSingleObject GetOverlappedResult 15368->15369 15368->15370 15369->15370 15371 403f8c ReadFile 15370->15371 15372 403ff0 15371->15372 15373 403fc2 GetLastError 15371->15373 15372->14944 15372->14945 15373->15372 15374 403fcf WaitForSingleObject GetOverlappedResult 15373->15374 15374->15372 15378 40eb74 15375->15378 15379 40eb7b GetProcessHeap HeapSize 15378->15379 15380 404350 15378->15380 15379->15380 15380->14952 15382 401924 GetVersionExA 15381->15382 15382->14995 15384 406eef AllocateAndInitializeSid 15383->15384 15390 406f55 15383->15390 15385 406f44 15384->15385 15386 406f1c CheckTokenMembership 15384->15386 15385->15390 15417 406e36 GetUserNameW 15385->15417 15387 406f3b FreeSid 15386->15387 15388 406f2e 15386->15388 15387->15385 15388->15387 15390->15005 15392 40920e 15391->15392 15395 409308 15391->15395 15392->15392 15393 4092f1 Sleep 15392->15393 15394 4092bf ShellExecuteA 15392->15394 15392->15395 15393->15392 15394->15392 15394->15395 15395->15027 15397 40ef32 15396->15397 15397->15019 15399 40f0f1 15398->15399 15400 40f0ed 15398->15400 15401 40f119 15399->15401 15402 40f0fa lstrlenA SysAllocStringByteLen 15399->15402 15400->15026 15404 40f11c MultiByteToWideChar 15401->15404 15403 40f117 15402->15403 15402->15404 15403->15026 15404->15403 15406 401820 17 API calls 15405->15406 15407 4018f2 15406->15407 15408 4018f9 15407->15408 15420 401280 15407->15420 15408->15027 15410 401908 15410->15027 15432 401000 15411->15432 15413 401839 15414 401851 GetCurrentProcess 15413->15414 15415 40183d 15413->15415 15416 401864 15414->15416 15415->15012 15416->15012 15418 406e5f LookupAccountNameW 15417->15418 15419 406e97 15417->15419 15418->15419 15419->15390 15422 4012e1 15420->15422 15421 4016f9 GetLastError 15423 401699 15421->15423 15422->15421 15429 4013a8 15422->15429 15423->15410 15424 401570 lstrlenW 15424->15429 15425 4015be GetStartupInfoW 15425->15429 15426 4015ff CreateProcessWithLogonW 15427 4016bf GetLastError 15426->15427 15428 40163f WaitForSingleObject 15426->15428 15427->15423 15428->15429 15430 401659 CloseHandle 15428->15430 15429->15423 15429->15424 15429->15425 15429->15426 15431 401668 CloseHandle 15429->15431 15430->15429 15431->15429 15433 401023 15432->15433 15434 40100d LoadLibraryA 15432->15434 15436 4010b5 GetProcAddress 15433->15436 15452 4010ae 15433->15452 15434->15433 15435 401021 15434->15435 15435->15413 15437 4010d1 GetProcAddress 15436->15437 15438 40127b 15436->15438 15437->15438 15439 4010f0 GetProcAddress 15437->15439 15438->15413 15439->15438 15440 401110 GetProcAddress 15439->15440 15440->15438 15441 401130 GetProcAddress 15440->15441 15441->15438 15442 40114f GetProcAddress 15441->15442 15442->15438 15443 40116f GetProcAddress 15442->15443 15443->15438 15444 40118f GetProcAddress 15443->15444 15444->15438 15445 4011ae GetProcAddress 15444->15445 15445->15438 15446 4011ce GetProcAddress 15445->15446 15446->15438 15447 4011ee GetProcAddress 15446->15447 15447->15438 15448 401209 GetProcAddress 15447->15448 15448->15438 15449 401225 GetProcAddress 15448->15449 15449->15438 15450 401241 GetProcAddress 15449->15450 15450->15438 15451 40125c GetProcAddress 15450->15451 15451->15438 15452->15413 15455 4069b9 WriteFile 15453->15455 15456 406a3c 15455->15456 15458 4069ff 15455->15458 15456->15037 15456->15038 15457 406a10 WriteFile 15457->15456 15457->15458 15458->15456 15458->15457 15460 40eb17 15459->15460 15461 40eb21 15459->15461 15463 40eae4 15460->15463 15461->15041 15464 40eb02 GetProcAddress 15463->15464 15465 40eaed LoadLibraryA 15463->15465 15464->15461 15465->15464 15466 40eb01 15465->15466 15466->15461 15468 40eba7 GetProcessHeap HeapSize 15467->15468 15469 40ebbf GetProcessHeap HeapFree 15467->15469 15468->15469 15469->15070 15471 40908d 15470->15471 15472 4090e2 wsprintfA 15471->15472 15473 40ee2a 15472->15473 15474 4090fd CreateFileA 15473->15474 15475 40911a lstrlenA WriteFile CloseHandle 15474->15475 15476 40913f 15474->15476 15475->15476 15476->15079 15476->15080 15478 40ee2a 15477->15478 15479 409794 CreateProcessA 15478->15479 15480 4097c2 15479->15480 15481 4097bb 15479->15481 15482 4097d4 GetThreadContext 15480->15482 15481->15091 15483 409801 15482->15483 15484 4097f5 15482->15484 15491 40637c 15483->15491 15485 4097f6 TerminateProcess 15484->15485 15485->15481 15487 409816 15487->15485 15488 40981e WriteProcessMemory 15487->15488 15488->15484 15489 40983b SetThreadContext 15488->15489 15489->15484 15490 409858 ResumeThread 15489->15490 15490->15481 15492 406386 15491->15492 15493 40638a GetModuleHandleA VirtualAlloc 15491->15493 15492->15487 15494 4063f5 15493->15494 15495 4063b6 15493->15495 15494->15487 15496 4063be VirtualAllocEx 15495->15496 15496->15494 15497 4063d6 15496->15497 15498 4063df WriteProcessMemory 15497->15498 15498->15494 15500 40dd41 InterlockedExchange 15499->15500 15501 40dd20 GetCurrentThreadId 15500->15501 15502 40dd4a 15500->15502 15503 40dd53 GetCurrentThreadId 15501->15503 15504 40dd2e GetTickCount 15501->15504 15502->15503 15503->15094 15504->15502 15505 40dd39 Sleep 15504->15505 15505->15500 15507 40dbf0 15506->15507 15539 40db67 GetEnvironmentVariableA 15507->15539 15509 40dc19 15510 40dcda 15509->15510 15511 40db67 3 API calls 15509->15511 15510->15096 15512 40dc5c 15511->15512 15512->15510 15513 40db67 3 API calls 15512->15513 15514 40dc9b 15513->15514 15514->15510 15515 40db67 3 API calls 15514->15515 15515->15510 15517 40db55 15516->15517 15518 40db3a 15516->15518 15517->15099 15517->15103 15543 40ebed 15518->15543 15552 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15520->15552 15522 40e3be 15522->15099 15523 40e342 15523->15522 15555 40de24 15523->15555 15526 40e528 15525->15526 15527 40e3f4 15525->15527 15526->15108 15528 40e434 RegQueryValueExA 15527->15528 15529 40e458 15528->15529 15530 40e51d RegCloseKey 15528->15530 15531 40e46e RegQueryValueExA 15529->15531 15530->15526 15531->15529 15532 40e488 15531->15532 15532->15530 15533 40db2e 8 API calls 15532->15533 15534 40e499 15533->15534 15534->15530 15535 40e4b9 RegQueryValueExA 15534->15535 15536 40e4e8 15534->15536 15535->15534 15535->15536 15536->15530 15537 40e332 14 API calls 15536->15537 15538 40e513 15537->15538 15538->15530 15540 40db89 lstrcpyA CreateFileA 15539->15540 15541 40dbca 15539->15541 15540->15509 15541->15509 15544 40ec01 15543->15544 15545 40ebf6 15543->15545 15547 40eba0 codecvt 2 API calls 15544->15547 15546 40ebcc 4 API calls 15545->15546 15548 40ebfe 15546->15548 15549 40ec0a GetProcessHeap HeapReAlloc 15547->15549 15548->15517 15550 40eb74 2 API calls 15549->15550 15551 40ec28 15550->15551 15551->15517 15566 40eb41 15552->15566 15556 40de3a 15555->15556 15562 40de4e 15556->15562 15570 40dd84 15556->15570 15559 40ebed 8 API calls 15564 40def6 15559->15564 15560 40de9e 15560->15559 15560->15562 15561 40de76 15574 40ddcf 15561->15574 15562->15523 15564->15562 15565 40ddcf lstrcmpA 15564->15565 15565->15562 15567 40eb54 15566->15567 15568 40eb4a 15566->15568 15567->15523 15569 40eae4 2 API calls 15568->15569 15569->15567 15571 40dd96 15570->15571 15572 40ddc5 15570->15572 15571->15572 15573 40ddad lstrcmpiA 15571->15573 15572->15560 15572->15561 15573->15571 15573->15572 15575 40de20 15574->15575 15576 40dddd 15574->15576 15575->15562 15576->15575 15577 40ddfa lstrcmpA 15576->15577 15577->15576 15579 40dd05 6 API calls 15578->15579 15580 40e821 15579->15580 15581 40dd84 lstrcmpiA 15580->15581 15582 40e82c 15581->15582 15583 40e844 15582->15583 15626 402480 15582->15626 15583->15123 15586 40dd05 6 API calls 15585->15586 15587 40df7c 15586->15587 15588 40dd84 lstrcmpiA 15587->15588 15592 40df89 15588->15592 15589 40dfc4 15589->15129 15590 40ddcf lstrcmpA 15590->15592 15591 40ec2e codecvt 4 API calls 15591->15592 15592->15589 15592->15590 15592->15591 15593 40dd84 lstrcmpiA 15592->15593 15593->15592 15595 40ea98 15594->15595 15635 40e8a1 15595->15635 15597 401e84 15597->15132 15599 4019d5 GetProcAddress GetProcAddress GetProcAddress 15598->15599 15602 4019ce 15598->15602 15600 401ab3 FreeLibrary 15599->15600 15601 401a04 15599->15601 15600->15602 15601->15600 15603 401a14 GetProcessHeap 15601->15603 15602->15136 15603->15602 15605 401a2e HeapAlloc 15603->15605 15605->15602 15606 401a42 15605->15606 15607 401a52 HeapReAlloc 15606->15607 15609 401a62 15606->15609 15607->15609 15608 401aa1 FreeLibrary 15608->15602 15609->15608 15610 401a96 HeapFree 15609->15610 15610->15608 15663 401ac3 LoadLibraryA 15611->15663 15614 401bcf 15614->15148 15616 401ac3 12 API calls 15615->15616 15617 401c09 15616->15617 15618 401c41 15617->15618 15619 401c0d GetComputerNameA 15617->15619 15618->15154 15620 401c45 GetVolumeInformationA 15619->15620 15621 401c1f 15619->15621 15620->15618 15621->15618 15621->15620 15623 40ee2a 15622->15623 15624 4030d0 gethostname gethostbyname 15623->15624 15625 401f82 15624->15625 15625->15160 15625->15162 15629 402419 lstrlenA 15626->15629 15628 402491 15628->15583 15630 402474 15629->15630 15631 40243d lstrlenA 15629->15631 15630->15628 15632 402464 lstrlenA 15631->15632 15633 40244e lstrcmpiA 15631->15633 15632->15630 15632->15631 15633->15632 15634 40245c 15633->15634 15634->15630 15634->15632 15636 40dd05 6 API calls 15635->15636 15637 40e8b4 15636->15637 15638 40dd84 lstrcmpiA 15637->15638 15639 40e8c0 15638->15639 15640 40e8c8 lstrcpynA 15639->15640 15649 40e90a 15639->15649 15641 40e8f5 15640->15641 15656 40df4c 15641->15656 15642 402419 4 API calls 15643 40e926 lstrlenA lstrlenA 15642->15643 15645 40e94c lstrlenA 15643->15645 15648 40e96a 15643->15648 15645->15648 15646 40e901 15647 40dd84 lstrcmpiA 15646->15647 15647->15649 15650 40ebcc 4 API calls 15648->15650 15651 40ea27 15648->15651 15649->15642 15649->15651 15652 40e98f 15650->15652 15651->15597 15652->15651 15653 40df4c 20 API calls 15652->15653 15654 40ea1e 15653->15654 15655 40ec2e codecvt 4 API calls 15654->15655 15655->15651 15657 40dd05 6 API calls 15656->15657 15658 40df51 15657->15658 15659 40f04e 4 API calls 15658->15659 15660 40df58 15659->15660 15661 40de24 10 API calls 15660->15661 15662 40df63 15661->15662 15662->15646 15664 401ae2 GetProcAddress 15663->15664 15667 401b68 GetComputerNameA GetVolumeInformationA 15663->15667 15665 401af5 15664->15665 15664->15667 15666 40ebed 8 API calls 15665->15666 15668 401b29 15665->15668 15666->15665 15667->15614 15668->15667 15668->15668 15669 40ec2e codecvt 4 API calls 15668->15669 15669->15667 15671 406ec3 2 API calls 15670->15671 15672 407ef4 15671->15672 15673 407fc9 15672->15673 15674 4073ff 17 API calls 15672->15674 15673->15174 15675 407f16 15674->15675 15675->15673 15683 407809 GetUserNameA 15675->15683 15677 407f63 15677->15673 15678 40ef1e lstrlenA 15677->15678 15679 407fa6 15678->15679 15680 40ef1e lstrlenA 15679->15680 15681 407fb7 15680->15681 15707 407a95 RegOpenKeyExA 15681->15707 15684 40783d LookupAccountNameA 15683->15684 15690 407a8d 15683->15690 15685 407874 GetLengthSid GetFileSecurityA 15684->15685 15684->15690 15686 4078a8 GetSecurityDescriptorOwner 15685->15686 15685->15690 15687 4078c5 EqualSid 15686->15687 15688 40791d GetSecurityDescriptorDacl 15686->15688 15687->15688 15689 4078dc LocalAlloc 15687->15689 15688->15690 15701 407941 15688->15701 15689->15688 15691 4078ef InitializeSecurityDescriptor 15689->15691 15690->15677 15692 407916 LocalFree 15691->15692 15693 4078fb SetSecurityDescriptorOwner 15691->15693 15692->15688 15693->15692 15695 40790b SetFileSecurityA 15693->15695 15694 40795b GetAce 15694->15701 15695->15692 15696 407980 EqualSid 15696->15701 15697 407a3d 15697->15690 15700 407a43 LocalAlloc 15697->15700 15698 4079be EqualSid 15698->15701 15699 40799d DeleteAce 15699->15701 15700->15690 15702 407a56 InitializeSecurityDescriptor 15700->15702 15701->15690 15701->15694 15701->15696 15701->15697 15701->15698 15701->15699 15703 407a62 SetSecurityDescriptorDacl 15702->15703 15704 407a86 LocalFree 15702->15704 15703->15704 15705 407a73 SetFileSecurityA 15703->15705 15704->15690 15705->15704 15706 407a83 15705->15706 15706->15704 15708 407ac4 15707->15708 15709 407acb GetUserNameA 15707->15709 15708->15673 15710 407da7 RegCloseKey 15709->15710 15711 407aed LookupAccountNameA 15709->15711 15710->15708 15711->15710 15712 407b24 RegGetKeySecurity 15711->15712 15712->15710 15713 407b49 GetSecurityDescriptorOwner 15712->15713 15714 407b63 EqualSid 15713->15714 15715 407bb8 GetSecurityDescriptorDacl 15713->15715 15714->15715 15716 407b74 LocalAlloc 15714->15716 15717 407da6 15715->15717 15724 407bdc 15715->15724 15716->15715 15718 407b8a InitializeSecurityDescriptor 15716->15718 15717->15710 15719 407bb1 LocalFree 15718->15719 15720 407b96 SetSecurityDescriptorOwner 15718->15720 15719->15715 15720->15719 15722 407ba6 RegSetKeySecurity 15720->15722 15721 407bf8 GetAce 15721->15724 15722->15719 15723 407c1d EqualSid 15723->15724 15724->15717 15724->15721 15724->15723 15725 407c5f EqualSid 15724->15725 15726 407cd9 15724->15726 15727 407c3a DeleteAce 15724->15727 15725->15724 15726->15717 15728 407d5a LocalAlloc 15726->15728 15729 407cf2 RegOpenKeyExA 15726->15729 15727->15724 15728->15717 15730 407d70 InitializeSecurityDescriptor 15728->15730 15729->15728 15735 407d0f 15729->15735 15731 407d7c SetSecurityDescriptorDacl 15730->15731 15732 407d9f LocalFree 15730->15732 15731->15732 15733 407d8c RegSetKeySecurity 15731->15733 15732->15717 15733->15732 15734 407d9c 15733->15734 15734->15732 15736 407d43 RegSetValueExA 15735->15736 15736->15728 15737 407d54 15736->15737 15737->15728 15738->15190 15740 40dd05 6 API calls 15739->15740 15743 40e65f 15740->15743 15741 40e6a5 15742 40ebcc 4 API calls 15741->15742 15747 40e6f5 15741->15747 15745 40e6b0 15742->15745 15743->15741 15744 40e68c lstrcmpA 15743->15744 15744->15743 15746 40e6e0 lstrcpynA 15745->15746 15745->15747 15749 40e6b7 15745->15749 15746->15747 15748 40e71d lstrcmpA 15747->15748 15747->15749 15748->15747 15749->15192 15750->15198 15752 40c525 15751->15752 15753 40c532 15751->15753 15752->15753 15755 40ec2e codecvt 4 API calls 15752->15755 15754 40c548 15753->15754 15903 40e7ff 15753->15903 15757 40e7ff lstrcmpiA 15754->15757 15764 40c54f 15754->15764 15755->15753 15758 40c615 15757->15758 15759 40ebcc 4 API calls 15758->15759 15758->15764 15759->15764 15760 40c5d1 15762 40ebcc 4 API calls 15760->15762 15762->15764 15763 40e819 11 API calls 15765 40c5b7 15763->15765 15764->15211 15766 40f04e 4 API calls 15765->15766 15767 40c5bf 15766->15767 15767->15754 15767->15760 15769 402692 inet_addr 15768->15769 15770 40268e 15768->15770 15769->15770 15771 40269e gethostbyname 15769->15771 15772 40f428 15770->15772 15771->15770 15906 40f315 15772->15906 15777 40c8d2 15775->15777 15776 40c907 15776->15245 15777->15776 15778 40c517 23 API calls 15777->15778 15778->15776 15779 40f43e 15780 40f473 recv 15779->15780 15781 40f458 15780->15781 15782 40f47c 15780->15782 15781->15780 15781->15782 15782->15228 15784 40c670 15783->15784 15785 40c67d 15783->15785 15786 40ebcc 4 API calls 15784->15786 15787 40ebcc 4 API calls 15785->15787 15789 40c699 15785->15789 15786->15785 15787->15789 15788 40c6f3 15788->15241 15788->15306 15789->15788 15790 40c73c send 15789->15790 15790->15788 15792 40c770 15791->15792 15793 40c77d 15791->15793 15794 40ebcc 4 API calls 15792->15794 15795 40c799 15793->15795 15796 40ebcc 4 API calls 15793->15796 15794->15793 15797 40c7b5 15795->15797 15799 40ebcc 4 API calls 15795->15799 15796->15795 15798 40f43e recv 15797->15798 15800 40c7cb 15798->15800 15799->15797 15801 40f43e recv 15800->15801 15802 40c7d3 15800->15802 15801->15802 15802->15306 15919 407db7 15803->15919 15806 407e70 15808 40f04e 4 API calls 15806->15808 15810 407e96 15806->15810 15807 40f04e 4 API calls 15809 407e4c 15807->15809 15808->15810 15809->15806 15811 40f04e 4 API calls 15809->15811 15810->15306 15811->15806 15813 406ec3 2 API calls 15812->15813 15814 407fdd 15813->15814 15815 4080c2 CreateProcessA 15814->15815 15816 4073ff 17 API calls 15814->15816 15815->15294 15815->15295 15817 407fff 15816->15817 15817->15815 15818 407809 21 API calls 15817->15818 15819 40804d 15818->15819 15819->15815 15820 40ef1e lstrlenA 15819->15820 15821 40809e 15820->15821 15822 40ef1e lstrlenA 15821->15822 15823 4080af 15822->15823 15824 407a95 24 API calls 15823->15824 15824->15815 15826 407db7 2 API calls 15825->15826 15827 407eb8 15826->15827 15828 40f04e 4 API calls 15827->15828 15829 407ece DeleteFileA 15828->15829 15829->15306 15831 40dd05 6 API calls 15830->15831 15832 40e31d 15831->15832 15923 40e177 15832->15923 15834 40e326 15834->15267 15836 4031f3 15835->15836 15845 4031ec 15835->15845 15837 40ebcc 4 API calls 15836->15837 15846 4031fc 15837->15846 15838 403459 15841 40f04e 4 API calls 15838->15841 15839 40349d 15840 40ec2e codecvt 4 API calls 15839->15840 15840->15845 15842 40345f 15841->15842 15843 4030fa 4 API calls 15842->15843 15843->15845 15844 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15844->15846 15845->15306 15846->15844 15846->15845 15847 40344d 15846->15847 15849 40344b 15846->15849 15851 403141 lstrcmpiA 15846->15851 15949 4030fa GetTickCount 15846->15949 15848 40ec2e codecvt 4 API calls 15847->15848 15848->15849 15849->15838 15849->15839 15851->15846 15853 4030fa 4 API calls 15852->15853 15854 403c1a 15853->15854 15855 403ce6 15854->15855 15954 403a72 15854->15954 15855->15306 15858 403a72 9 API calls 15860 403c5e 15858->15860 15859 403a72 9 API calls 15859->15860 15860->15855 15860->15859 15861 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15860->15861 15861->15860 15863 403a10 15862->15863 15864 4030fa 4 API calls 15863->15864 15865 403a1a 15864->15865 15865->15306 15867 40dd05 6 API calls 15866->15867 15868 40e7be 15867->15868 15868->15306 15870 40c07e wsprintfA 15869->15870 15874 40c105 15869->15874 15963 40bfce GetTickCount wsprintfA 15870->15963 15872 40c0ef 15964 40bfce GetTickCount wsprintfA 15872->15964 15874->15306 15876 407047 15875->15876 15877 406f88 LookupAccountNameA 15875->15877 15876->15306 15879 407025 15877->15879 15880 406fcb 15877->15880 15881 406edd 5 API calls 15879->15881 15882 406fdb ConvertSidToStringSidA 15880->15882 15883 40702a wsprintfA 15881->15883 15882->15879 15884 406ff1 15882->15884 15883->15876 15885 407013 LocalFree 15884->15885 15885->15879 15887 40dd05 6 API calls 15886->15887 15888 40e85c 15887->15888 15889 40dd84 lstrcmpiA 15888->15889 15891 40e867 15889->15891 15890 40e885 lstrcpyA 15968 40dd69 15890->15968 15891->15890 15965 4024a5 15891->15965 15897 407db7 2 API calls 15896->15897 15898 407de1 15897->15898 15899 407e16 15898->15899 15900 40f04e 4 API calls 15898->15900 15899->15306 15901 407df2 15900->15901 15901->15899 15902 40f04e 4 API calls 15901->15902 15902->15899 15904 40dd84 lstrcmpiA 15903->15904 15905 40c58e 15904->15905 15905->15754 15905->15760 15905->15763 15907 40f33b 15906->15907 15914 40ca1d 15906->15914 15908 40f347 htons socket 15907->15908 15909 40f382 ioctlsocket 15908->15909 15910 40f374 closesocket 15908->15910 15911 40f3aa connect select 15909->15911 15912 40f39d 15909->15912 15910->15914 15911->15914 15915 40f3f2 __WSAFDIsSet 15911->15915 15913 40f39f closesocket 15912->15913 15913->15914 15914->15225 15914->15779 15915->15913 15916 40f403 ioctlsocket 15915->15916 15918 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15916->15918 15918->15914 15920 407dc8 InterlockedExchange 15919->15920 15921 407dc0 Sleep 15920->15921 15922 407dd4 15920->15922 15921->15920 15922->15806 15922->15807 15924 40e184 15923->15924 15925 40e2e4 15924->15925 15926 40e223 15924->15926 15939 40dfe2 15924->15939 15925->15834 15926->15925 15928 40dfe2 8 API calls 15926->15928 15932 40e23c 15928->15932 15929 40e1be 15929->15926 15930 40dbcf 3 API calls 15929->15930 15933 40e1d6 15930->15933 15931 40e21a CloseHandle 15931->15926 15932->15925 15943 40e095 RegCreateKeyExA 15932->15943 15933->15926 15933->15931 15934 40e1f9 WriteFile 15933->15934 15934->15931 15936 40e213 15934->15936 15936->15931 15937 40e2a3 15937->15925 15938 40e095 4 API calls 15937->15938 15938->15925 15940 40dffc 15939->15940 15942 40e024 15939->15942 15941 40db2e 8 API calls 15940->15941 15940->15942 15941->15942 15942->15929 15944 40e172 15943->15944 15946 40e0c0 15943->15946 15944->15937 15945 40e13d 15947 40e14e RegDeleteValueA RegCloseKey 15945->15947 15946->15945 15948 40e115 RegSetValueExA 15946->15948 15947->15944 15948->15945 15948->15946 15950 403122 InterlockedExchange 15949->15950 15951 40312e 15950->15951 15952 40310f GetTickCount 15950->15952 15951->15846 15952->15951 15953 40311a Sleep 15952->15953 15953->15950 15955 40f04e 4 API calls 15954->15955 15962 403a83 15955->15962 15956 403ac1 15956->15855 15956->15858 15957 403be6 15959 40ec2e codecvt 4 API calls 15957->15959 15958 403bc0 15958->15957 15960 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15958->15960 15959->15956 15960->15958 15961 403b66 lstrlenA 15961->15956 15961->15962 15962->15956 15962->15958 15962->15961 15963->15872 15964->15874 15966 402419 4 API calls 15965->15966 15967 4024b6 15966->15967 15967->15890 15969 40dd79 lstrlenA 15968->15969 15969->15306 15971 404084 15970->15971 15972 40407d 15970->15972 15973 403ecd 6 API calls 15971->15973 15974 40408f 15973->15974 15975 404000 3 API calls 15974->15975 15977 404095 15975->15977 15976 404130 15978 403ecd 6 API calls 15976->15978 15977->15976 15982 403f18 4 API calls 15977->15982 15979 404159 CreateNamedPipeA 15978->15979 15980 404167 Sleep 15979->15980 15981 404188 ConnectNamedPipe 15979->15981 15980->15976 15983 404176 CloseHandle 15980->15983 15985 404195 GetLastError 15981->15985 15995 4041ab 15981->15995 15984 4040da 15982->15984 15983->15981 15986 403f8c 4 API calls 15984->15986 15987 40425e DisconnectNamedPipe 15985->15987 15985->15995 15988 4040ec 15986->15988 15987->15981 15989 404127 CloseHandle 15988->15989 15990 404101 15988->15990 15989->15976 15991 403f18 4 API calls 15990->15991 15992 40411c ExitProcess 15991->15992 15993 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15993->15995 15994 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15994->15995 15995->15981 15995->15987 15995->15993 15995->15994 15996 40426a CloseHandle CloseHandle 15995->15996 15997 40e318 23 API calls 15996->15997 15998 40427b 15997->15998 15998->15998 16000 408791 15999->16000 16001 40879f 15999->16001 16002 40f04e 4 API calls 16000->16002 16003 4087bc 16001->16003 16004 40f04e 4 API calls 16001->16004 16002->16001 16005 40e819 11 API calls 16003->16005 16004->16003 16006 4087d7 16005->16006 16019 408803 16006->16019 16021 4026b2 gethostbyaddr 16006->16021 16009 4087eb 16011 40e8a1 30 API calls 16009->16011 16009->16019 16011->16019 16014 40e819 11 API calls 16014->16019 16015 4088a0 Sleep 16015->16019 16016 4026b2 2 API calls 16016->16019 16017 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16017->16019 16019->16014 16019->16015 16019->16016 16019->16017 16020 40e8a1 30 API calls 16019->16020 16026 408cee 16019->16026 16034 40c4d6 16019->16034 16037 40c4e2 16019->16037 16040 402011 16019->16040 16075 408328 16019->16075 16020->16019 16022 4026fb 16021->16022 16023 4026cd 16021->16023 16022->16009 16024 4026e1 inet_ntoa 16023->16024 16025 4026de 16023->16025 16024->16025 16025->16009 16027 408d02 GetTickCount 16026->16027 16028 408dae 16026->16028 16027->16028 16031 408d19 16027->16031 16028->16019 16029 408da1 GetTickCount 16029->16028 16031->16029 16033 408d89 16031->16033 16127 40a677 16031->16127 16130 40a688 16031->16130 16033->16029 16138 40c2dc 16034->16138 16038 40c2dc 141 API calls 16037->16038 16039 40c4ec 16038->16039 16039->16019 16041 402020 16040->16041 16042 40202e 16040->16042 16043 40f04e 4 API calls 16041->16043 16044 40204b 16042->16044 16045 40f04e 4 API calls 16042->16045 16043->16042 16046 40206e GetTickCount 16044->16046 16048 40f04e 4 API calls 16044->16048 16045->16044 16047 4020db GetTickCount 16046->16047 16057 402090 16046->16057 16051 402132 GetTickCount GetTickCount 16047->16051 16058 4020e7 16047->16058 16049 402068 16048->16049 16049->16046 16050 4020d4 GetTickCount 16050->16047 16053 40f04e 4 API calls 16051->16053 16052 40212b GetTickCount 16052->16051 16055 402159 16053->16055 16054 402684 2 API calls 16054->16057 16060 40e854 13 API calls 16055->16060 16068 4021b4 16055->16068 16057->16050 16057->16054 16064 4020ce 16057->16064 16465 401978 16057->16465 16058->16052 16066 401978 15 API calls 16058->16066 16070 402125 16058->16070 16470 402ef8 16058->16470 16059 40f04e 4 API calls 16063 4021d1 16059->16063 16061 40218e 16060->16061 16065 40e819 11 API calls 16061->16065 16067 40ea84 30 API calls 16063->16067 16074 4021f2 16063->16074 16064->16050 16069 40219c 16065->16069 16066->16058 16071 4021ec 16067->16071 16068->16059 16069->16068 16478 401c5f 16069->16478 16070->16052 16072 40f04e 4 API calls 16071->16072 16072->16074 16074->16019 16076 407dd6 6 API calls 16075->16076 16077 40833c 16076->16077 16078 406ec3 2 API calls 16077->16078 16104 408340 16077->16104 16079 40834f 16078->16079 16080 40835c 16079->16080 16086 40846b 16079->16086 16081 4073ff 17 API calls 16080->16081 16105 408373 16081->16105 16082 4085df 16083 408626 GetTempPathA 16082->16083 16084 408638 16082->16084 16094 408762 16082->16094 16083->16084 16550 406ba7 IsBadCodePtr 16084->16550 16085 40675c 21 API calls 16085->16082 16088 4084a7 RegOpenKeyExA 16086->16088 16101 408450 16086->16101 16090 4084c0 RegQueryValueExA 16088->16090 16091 40852f 16088->16091 16089 4086ad 16089->16094 16095 407e2f 6 API calls 16089->16095 16092 408521 RegCloseKey 16090->16092 16093 4084dd 16090->16093 16096 408564 RegOpenKeyExA 16091->16096 16107 4085a5 16091->16107 16092->16091 16093->16092 16098 40ebcc 4 API calls 16093->16098 16100 40ec2e codecvt 4 API calls 16094->16100 16094->16104 16108 4086bb 16095->16108 16097 408573 RegSetValueExA RegCloseKey 16096->16097 16096->16107 16097->16107 16103 4084f0 16098->16103 16099 40875b DeleteFileA 16099->16094 16100->16104 16101->16082 16101->16085 16103->16092 16106 4084f8 RegQueryValueExA 16103->16106 16104->16019 16105->16101 16105->16104 16109 4083ea RegOpenKeyExA 16105->16109 16106->16092 16111 408515 16106->16111 16107->16101 16112 40ec2e codecvt 4 API calls 16107->16112 16108->16099 16116 4086e0 lstrcpyA lstrlenA 16108->16116 16109->16101 16110 4083fd RegQueryValueExA 16109->16110 16113 40842d RegSetValueExA 16110->16113 16114 40841e 16110->16114 16115 40ec2e codecvt 4 API calls 16111->16115 16112->16101 16117 408447 RegCloseKey 16113->16117 16114->16113 16114->16117 16118 40851d 16115->16118 16119 407fcf 64 API calls 16116->16119 16117->16101 16118->16092 16120 408719 CreateProcessA 16119->16120 16121 40873d CloseHandle CloseHandle 16120->16121 16122 40874f 16120->16122 16121->16094 16123 407ee6 64 API calls 16122->16123 16124 408754 16123->16124 16125 407ead 6 API calls 16124->16125 16126 40875a 16125->16126 16126->16099 16133 40a63d 16127->16133 16129 40a685 16129->16031 16131 40a63d GetTickCount 16130->16131 16132 40a696 16131->16132 16132->16031 16134 40a645 16133->16134 16135 40a64d 16133->16135 16134->16129 16136 40a66e 16135->16136 16137 40a65e GetTickCount 16135->16137 16136->16129 16137->16136 16154 40a4c7 GetTickCount 16138->16154 16141 40c300 GetTickCount 16143 40c337 16141->16143 16142 40c326 16142->16143 16144 40c32b GetTickCount 16142->16144 16147 40c363 GetTickCount 16143->16147 16153 40c45e 16143->16153 16144->16143 16145 40c4d2 16145->16019 16146 40c4ab InterlockedIncrement CreateThread 16146->16145 16148 40c4cb CloseHandle 16146->16148 16159 40b535 16146->16159 16149 40c373 16147->16149 16147->16153 16148->16145 16150 40c378 GetTickCount 16149->16150 16151 40c37f 16149->16151 16150->16151 16152 40c43b GetTickCount 16151->16152 16152->16153 16153->16145 16153->16146 16155 40a4f7 InterlockedExchange 16154->16155 16156 40a500 16155->16156 16157 40a4e4 GetTickCount 16155->16157 16156->16141 16156->16142 16156->16153 16157->16156 16158 40a4ef Sleep 16157->16158 16158->16155 16160 40b566 16159->16160 16161 40ebcc 4 API calls 16160->16161 16162 40b587 16161->16162 16163 40ebcc 4 API calls 16162->16163 16200 40b590 16163->16200 16164 40bdcd InterlockedDecrement 16165 40bde2 16164->16165 16167 40ec2e codecvt 4 API calls 16165->16167 16168 40bdea 16167->16168 16169 40ec2e codecvt 4 API calls 16168->16169 16171 40bdf2 16169->16171 16170 40bdb7 Sleep 16170->16200 16172 40be05 16171->16172 16174 40ec2e codecvt 4 API calls 16171->16174 16173 40bdcc 16173->16164 16174->16172 16175 40ebed 8 API calls 16175->16200 16178 40b6b6 lstrlenA 16178->16200 16179 4030b5 2 API calls 16179->16200 16180 40b6ed lstrcpyA 16234 405ce1 16180->16234 16181 40e819 11 API calls 16181->16200 16184 40b731 lstrlenA 16184->16200 16185 40b71f lstrcmpA 16185->16184 16185->16200 16186 40b772 GetTickCount 16186->16200 16187 40bd49 InterlockedIncrement 16328 40a628 16187->16328 16190 4038f0 6 API calls 16190->16200 16191 40bc5b InterlockedIncrement 16191->16200 16192 40b7ce InterlockedIncrement 16244 40acd7 16192->16244 16195 40b912 GetTickCount 16195->16200 16196 40b826 InterlockedIncrement 16196->16186 16197 40b932 GetTickCount 16199 40bc6d InterlockedIncrement 16197->16199 16197->16200 16198 40bcdc closesocket 16198->16200 16199->16200 16200->16164 16200->16170 16200->16173 16200->16175 16200->16178 16200->16179 16200->16180 16200->16181 16200->16184 16200->16185 16200->16186 16200->16187 16200->16190 16200->16191 16200->16192 16200->16195 16200->16196 16200->16197 16200->16198 16202 40bba6 InterlockedIncrement 16200->16202 16205 40bc4c closesocket 16200->16205 16207 405ce1 22 API calls 16200->16207 16208 40ba71 wsprintfA 16200->16208 16209 40ab81 lstrcpynA InterlockedIncrement 16200->16209 16212 40a7c1 22 API calls 16200->16212 16213 40ef1e lstrlenA 16200->16213 16214 405ded 12 API calls 16200->16214 16215 40a688 GetTickCount 16200->16215 16216 403e10 16200->16216 16219 403e4f 16200->16219 16222 40384f 16200->16222 16242 40a7a3 inet_ntoa 16200->16242 16249 40abee 16200->16249 16261 401feb GetTickCount 16200->16261 16282 403cfb 16200->16282 16285 40b3c5 16200->16285 16316 40ab81 16200->16316 16202->16200 16205->16200 16207->16200 16262 40a7c1 16208->16262 16209->16200 16212->16200 16213->16200 16214->16200 16215->16200 16217 4030fa 4 API calls 16216->16217 16218 403e1d 16217->16218 16218->16200 16220 4030fa 4 API calls 16219->16220 16221 403e5c 16220->16221 16221->16200 16223 4030fa 4 API calls 16222->16223 16224 403863 16223->16224 16225 4038b9 16224->16225 16226 403889 16224->16226 16233 4038b2 16224->16233 16337 4035f9 16225->16337 16331 403718 16226->16331 16231 403718 6 API calls 16231->16233 16232 4035f9 6 API calls 16232->16233 16233->16200 16235 405cf4 16234->16235 16236 405cec 16234->16236 16238 404bd1 4 API calls 16235->16238 16343 404bd1 GetTickCount 16236->16343 16239 405d02 16238->16239 16348 405472 16239->16348 16243 40a7b9 16242->16243 16243->16200 16245 40f315 14 API calls 16244->16245 16246 40aceb 16245->16246 16247 40acff 16246->16247 16248 40f315 14 API calls 16246->16248 16247->16200 16248->16247 16250 40abfb 16249->16250 16253 40ac65 16250->16253 16411 402f22 16250->16411 16252 40f315 14 API calls 16252->16253 16253->16252 16254 40ac8a 16253->16254 16255 40ac6f 16253->16255 16254->16200 16257 40ab81 2 API calls 16255->16257 16256 40ac23 16256->16253 16258 402684 2 API calls 16256->16258 16259 40ac81 16257->16259 16258->16256 16419 4038f0 16259->16419 16261->16200 16263 40a87d lstrlenA send 16262->16263 16264 40a7df 16262->16264 16265 40a899 16263->16265 16266 40a8bf 16263->16266 16264->16263 16267 40a8f2 16264->16267 16268 40a80a 16264->16268 16272 40a7fa wsprintfA 16264->16272 16269 40a8a5 wsprintfA 16265->16269 16281 40a89e 16265->16281 16266->16267 16270 40a8c4 send 16266->16270 16271 40a978 recv 16267->16271 16274 40a9b0 wsprintfA 16267->16274 16275 40a982 16267->16275 16268->16263 16269->16281 16270->16267 16273 40a8d8 wsprintfA 16270->16273 16271->16267 16271->16275 16272->16268 16273->16281 16274->16281 16276 4030b5 2 API calls 16275->16276 16275->16281 16277 40ab05 16276->16277 16278 40e819 11 API calls 16277->16278 16279 40ab17 16278->16279 16280 40a7a3 inet_ntoa 16279->16280 16280->16281 16281->16200 16283 4030fa 4 API calls 16282->16283 16284 403d0b 16283->16284 16284->16200 16286 405ce1 22 API calls 16285->16286 16287 40b3e6 16286->16287 16288 405ce1 22 API calls 16287->16288 16290 40b404 16288->16290 16289 40b440 16291 40ef7c 3 API calls 16289->16291 16290->16289 16292 40ef7c 3 API calls 16290->16292 16293 40b458 wsprintfA 16291->16293 16294 40b42b 16292->16294 16295 40ef7c 3 API calls 16293->16295 16296 40ef7c 3 API calls 16294->16296 16297 40b480 16295->16297 16296->16289 16298 40ef7c 3 API calls 16297->16298 16299 40b493 16298->16299 16300 40ef7c 3 API calls 16299->16300 16301 40b4bb 16300->16301 16433 40ad89 GetLocalTime SystemTimeToFileTime 16301->16433 16305 40b4cc 16306 40ef7c 3 API calls 16305->16306 16307 40b4dd 16306->16307 16308 40b211 7 API calls 16307->16308 16309 40b4ec 16308->16309 16310 40ef7c 3 API calls 16309->16310 16311 40b4fd 16310->16311 16312 40b211 7 API calls 16311->16312 16313 40b509 16312->16313 16314 40ef7c 3 API calls 16313->16314 16315 40b51a 16314->16315 16315->16200 16317 40abe9 GetTickCount 16316->16317 16319 40ab8c 16316->16319 16321 40a51d 16317->16321 16318 40aba8 lstrcpynA 16318->16319 16319->16317 16319->16318 16320 40abe1 InterlockedIncrement 16319->16320 16320->16319 16322 40a4c7 4 API calls 16321->16322 16323 40a52c 16322->16323 16324 40a542 GetTickCount 16323->16324 16326 40a539 GetTickCount 16323->16326 16324->16326 16327 40a56c 16326->16327 16327->16200 16329 40a4c7 4 API calls 16328->16329 16330 40a633 16329->16330 16330->16200 16332 40f04e 4 API calls 16331->16332 16334 40372a 16332->16334 16333 403847 16333->16231 16333->16233 16334->16333 16335 4037b3 GetCurrentThreadId 16334->16335 16335->16334 16336 4037c8 GetCurrentThreadId 16335->16336 16336->16334 16338 40f04e 4 API calls 16337->16338 16342 40360c 16338->16342 16339 4036f1 16339->16232 16339->16233 16340 4036da GetCurrentThreadId 16340->16339 16341 4036e5 GetCurrentThreadId 16340->16341 16341->16339 16342->16339 16342->16340 16344 404bff InterlockedExchange 16343->16344 16345 404c08 16344->16345 16346 404bec GetTickCount 16344->16346 16345->16235 16346->16345 16347 404bf7 Sleep 16346->16347 16347->16344 16367 404763 16348->16367 16350 405b58 16377 404699 16350->16377 16353 404763 lstrlenA 16354 405b6e 16353->16354 16398 404f9f 16354->16398 16356 405b79 16356->16200 16357 40548a 16357->16350 16361 40558d lstrcpynA 16357->16361 16362 405a9f lstrcpyA 16357->16362 16363 405472 13 API calls 16357->16363 16364 405935 lstrcpynA 16357->16364 16365 4058e7 lstrcpyA 16357->16365 16366 404ae6 8 API calls 16357->16366 16371 404ae6 16357->16371 16375 40ef7c lstrlenA lstrlenA lstrlenA 16357->16375 16359 405549 lstrlenA 16359->16357 16361->16357 16362->16357 16363->16357 16364->16357 16365->16357 16366->16357 16369 40477a 16367->16369 16368 404859 16368->16357 16369->16368 16370 40480d lstrlenA 16369->16370 16370->16369 16372 404af3 16371->16372 16374 404b03 16371->16374 16373 40ebed 8 API calls 16372->16373 16373->16374 16374->16359 16376 40efb4 16375->16376 16376->16357 16403 4045b3 16377->16403 16380 4045b3 7 API calls 16381 4046c6 16380->16381 16382 4045b3 7 API calls 16381->16382 16383 4046d8 16382->16383 16384 4045b3 7 API calls 16383->16384 16385 4046ea 16384->16385 16386 4045b3 7 API calls 16385->16386 16387 4046ff 16386->16387 16388 4045b3 7 API calls 16387->16388 16389 404711 16388->16389 16390 4045b3 7 API calls 16389->16390 16391 404723 16390->16391 16392 40ef7c 3 API calls 16391->16392 16393 404735 16392->16393 16394 40ef7c 3 API calls 16393->16394 16395 40474a 16394->16395 16396 40ef7c 3 API calls 16395->16396 16397 40475c 16396->16397 16397->16353 16399 404fac 16398->16399 16402 404fb0 16398->16402 16399->16356 16400 404ffd 16400->16356 16401 404fd5 IsBadCodePtr 16401->16402 16402->16400 16402->16401 16404 4045c1 16403->16404 16405 4045c8 16403->16405 16406 40ebcc 4 API calls 16404->16406 16407 40ebcc 4 API calls 16405->16407 16409 4045e1 16405->16409 16406->16405 16407->16409 16408 404691 16408->16380 16409->16408 16410 40ef7c 3 API calls 16409->16410 16410->16409 16426 402d21 GetModuleHandleA 16411->16426 16414 402f85 16415 402fcf GetProcessHeap HeapFree 16414->16415 16418 402f44 16415->16418 16416 402f4f 16417 402f6b GetProcessHeap HeapFree 16416->16417 16417->16418 16418->16256 16420 403900 16419->16420 16421 403980 16419->16421 16422 4030fa 4 API calls 16420->16422 16421->16254 16424 40390a 16422->16424 16423 40391b GetCurrentThreadId 16423->16424 16424->16421 16424->16423 16425 403939 GetCurrentThreadId 16424->16425 16425->16424 16427 402d46 LoadLibraryA 16426->16427 16428 402d5b GetProcAddress 16426->16428 16427->16428 16430 402d54 16427->16430 16428->16430 16432 402d6b 16428->16432 16429 402d97 GetProcessHeap HeapAlloc 16429->16430 16429->16432 16430->16414 16430->16416 16430->16418 16431 402db5 lstrcpynA 16431->16432 16432->16429 16432->16430 16432->16431 16434 40adbf 16433->16434 16458 40ad08 gethostname 16434->16458 16437 4030b5 2 API calls 16438 40add3 16437->16438 16439 40a7a3 inet_ntoa 16438->16439 16440 40ade4 16438->16440 16439->16440 16441 40ae85 wsprintfA 16440->16441 16444 40ae36 wsprintfA wsprintfA 16440->16444 16442 40ef7c 3 API calls 16441->16442 16443 40aebb 16442->16443 16445 40ef7c 3 API calls 16443->16445 16446 40ef7c 3 API calls 16444->16446 16447 40aed2 16445->16447 16446->16440 16448 40b211 16447->16448 16449 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16448->16449 16450 40b2af GetLocalTime 16448->16450 16451 40b2d2 16449->16451 16450->16451 16452 40b2d9 SystemTimeToFileTime 16451->16452 16453 40b31c GetTimeZoneInformation 16451->16453 16454 40b2ec 16452->16454 16455 40b33a wsprintfA 16453->16455 16456 40b312 FileTimeToSystemTime 16454->16456 16455->16305 16456->16453 16459 40ad71 16458->16459 16464 40ad26 lstrlenA 16458->16464 16461 40ad85 16459->16461 16462 40ad79 lstrcpyA 16459->16462 16461->16437 16462->16461 16463 40ad68 lstrlenA 16463->16459 16464->16459 16464->16463 16466 40f428 14 API calls 16465->16466 16467 40198a 16466->16467 16468 401990 closesocket 16467->16468 16469 401998 16467->16469 16468->16469 16469->16057 16471 402d21 6 API calls 16470->16471 16472 402f01 16471->16472 16473 402f0f 16472->16473 16486 402df2 GetModuleHandleA 16472->16486 16475 402684 2 API calls 16473->16475 16477 402f1f 16473->16477 16476 402f1d 16475->16476 16476->16058 16477->16058 16479 401c80 16478->16479 16480 401d1c 16479->16480 16481 401cc2 wsprintfA 16479->16481 16484 401d79 16479->16484 16483 401d47 wsprintfA 16480->16483 16482 402684 2 API calls 16481->16482 16482->16479 16485 402684 2 API calls 16483->16485 16484->16068 16485->16484 16487 402e10 LoadLibraryA 16486->16487 16488 402e0b 16486->16488 16489 402e17 16487->16489 16488->16487 16488->16489 16490 402ef1 16489->16490 16491 402e28 GetProcAddress 16489->16491 16490->16473 16491->16490 16492 402e3e GetProcessHeap HeapAlloc 16491->16492 16493 402e62 16492->16493 16493->16490 16494 402ede GetProcessHeap HeapFree 16493->16494 16495 402e7f htons inet_addr 16493->16495 16496 402ea5 gethostbyname 16493->16496 16498 402ceb 16493->16498 16494->16490 16495->16493 16495->16496 16496->16493 16499 402cf2 16498->16499 16501 402d1c 16499->16501 16502 402d0e Sleep 16499->16502 16503 402a62 GetProcessHeap HeapAlloc 16499->16503 16501->16493 16502->16499 16502->16501 16504 402a92 16503->16504 16505 402a99 socket 16503->16505 16504->16499 16506 402cd3 GetProcessHeap HeapFree 16505->16506 16507 402ab4 16505->16507 16506->16504 16507->16506 16521 402abd 16507->16521 16508 402adb htons 16523 4026ff 16508->16523 16510 402b04 select 16510->16521 16511 402ca4 16512 402cb3 GetProcessHeap HeapFree closesocket 16511->16512 16512->16504 16513 402b3f recv 16513->16521 16514 402b66 htons 16514->16511 16514->16521 16515 402b87 htons 16515->16511 16515->16521 16518 402bf3 GetProcessHeap HeapAlloc 16518->16521 16519 402c17 htons 16538 402871 16519->16538 16521->16508 16521->16510 16521->16511 16521->16512 16521->16513 16521->16514 16521->16515 16521->16518 16521->16519 16522 402c4d GetProcessHeap HeapFree 16521->16522 16530 402923 16521->16530 16542 402904 16521->16542 16522->16521 16524 40271d 16523->16524 16525 402717 16523->16525 16527 40272b GetTickCount htons 16524->16527 16526 40ebcc 4 API calls 16525->16526 16526->16524 16528 4027cc htons htons sendto 16527->16528 16529 40278a 16527->16529 16528->16521 16529->16528 16531 402944 16530->16531 16534 40293d 16530->16534 16546 402816 htons 16531->16546 16533 402950 16533->16534 16535 402871 htons 16533->16535 16536 4029bd htons htons htons 16533->16536 16534->16521 16535->16533 16536->16534 16537 4029f6 GetProcessHeap HeapAlloc 16536->16537 16537->16533 16537->16534 16539 4028e3 16538->16539 16541 402889 16538->16541 16539->16521 16540 4028c3 htons 16540->16539 16540->16541 16541->16539 16541->16540 16543 402921 16542->16543 16544 402908 16542->16544 16543->16521 16545 402909 GetProcessHeap HeapFree 16544->16545 16545->16543 16545->16545 16547 40286b 16546->16547 16548 402836 16546->16548 16547->16533 16548->16547 16549 40285c htons 16548->16549 16549->16547 16549->16548 16551 406bbc 16550->16551 16552 406bc0 16550->16552 16551->16089 16553 40ebcc 4 API calls 16552->16553 16563 406bd4 16552->16563 16554 406be4 16553->16554 16555 406c07 CreateFileA 16554->16555 16556 406bfc 16554->16556 16554->16563 16557 406c34 WriteFile 16555->16557 16558 406c2a 16555->16558 16559 40ec2e codecvt 4 API calls 16556->16559 16561 406c49 CloseHandle DeleteFileA 16557->16561 16562 406c5a CloseHandle 16557->16562 16560 40ec2e codecvt 4 API calls 16558->16560 16559->16563 16560->16563 16561->16558 16564 40ec2e codecvt 4 API calls 16562->16564 16563->16089 16564->16563 16593 71742e 16596 71743e 16593->16596 16597 71744d 16596->16597 16600 717bde 16597->16600 16601 717bf9 16600->16601 16602 717c02 CreateToolhelp32Snapshot 16601->16602 16603 717c1e Module32First 16601->16603 16602->16601 16602->16603 16604 71743d 16603->16604 16605 717c2d 16603->16605 16607 71789d 16605->16607 16608 7178c8 16607->16608 16609 717911 16608->16609 16610 7178d9 VirtualAlloc 16608->16610 16609->16609 16610->16609 16565 6e0005 16570 6e092b GetPEB 16565->16570 16567 6e0030 16572 6e003c 16567->16572 16571 6e0972 16570->16571 16571->16567 16573 6e0049 16572->16573 16587 6e0e0f SetErrorMode SetErrorMode 16573->16587 16578 6e0265 16579 6e02ce VirtualProtect 16578->16579 16581 6e030b 16579->16581 16580 6e0439 VirtualFree 16585 6e05f4 LoadLibraryA 16580->16585 16586 6e04be 16580->16586 16581->16580 16582 6e04e3 LoadLibraryA 16582->16586 16584 6e08c7 16585->16584 16586->16582 16586->16585 16588 6e0223 16587->16588 16589 6e0d90 16588->16589 16590 6e0dad 16589->16590 16591 6e0dbb GetPEB 16590->16591 16592 6e0238 VirtualAlloc 16590->16592 16591->16592 16592->16578

                                                                      Executed Functions

                                                                      Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                      • API String ID: 2089075347-2824936573
                                                                      • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                      • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                      Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 521 4094b9-4094f9 call 402544 RegOpenKeyExA 514->521 522 40962f-409632 514->522 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 531 409502-40952e call 402544 RegQueryValueExA 521->531 532 4094fb-409500 521->532 525 409634-409637 522->525 528 409639-40964a call 401820 525->528 529 40967b-409682 525->529 540 40964c-409662 528->540 541 40966d-409679 528->541 534 409683 call 4091eb 529->534 549 409530-409537 531->549 550 409539-409565 call 402544 RegQueryValueExA 531->550 536 40957a-40957f 532->536 544 409688-409690 534->544 545 409581-409584 536->545 546 40958a-40958d 536->546 547 409664-40966b 540->547 548 40962b-40962d 540->548 541->534 552 409692 544->552 553 409698-4096a0 544->553 545->525 545->546 546->529 554 409593-40959a 546->554 547->548 560 4096a2-4096a9 548->560 557 40956e-409577 RegCloseKey 549->557 550->557 566 409567 550->566 552->553 553->560 555 40961a-40961f 554->555 556 40959c-4095a1 554->556 564 409625 555->564 556->555 561 4095a3-4095c0 call 40f0e4 556->561 557->536 570 4095c2-4095db call 4018e0 561->570 571 40960c-409618 561->571 564->548 566->557 570->560 574 4095e1-4095f9 570->574 571->564 574->560 575 4095ff-409607 574->575 575->560
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                      • API String ID: 3696105349-2220793183
                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                      Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b27 call 406987 616->618 617->618 626 406ade 617->626 622 406b2c-406b34 618->622 624 406b56-406b63 CloseHandle 622->624 625 406b36-406b54 GetLastError CloseHandle 622->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->618 636->637 637->618
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3188212458-2980165447
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                      Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                      Function 00717BDE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 811 717bde-717bf7 812 717bf9-717bfb 811->812 813 717c02-717c0e CreateToolhelp32Snapshot 812->813 814 717bfd 812->814 815 717c10-717c16 813->815 816 717c1e-717c2b Module32First 813->816 814->813 815->816 821 717c18-717c1c 815->821 817 717c34-717c3c 816->817 818 717c2d-717c2e call 71789d 816->818 822 717c33 818->822 821->812 821->816 822->817
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00717C06
                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 00717C26
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2039090493.0000000000713000.00000040.00000020.00020000.00000000.sdmp, Offset: 00713000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_713000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3833638111-0
                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction ID: 4d52fa66009f214dbfafc3ed93a54bab843ce052d0ddeb1c2b9d44df44830ec4
                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction Fuzzy Hash: E8F06235104715ABD7242EB9988DAAAB6FCAF49725F100568E642D10C0DB78EC85CAA1
                                                                      Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocateSize
                                                                      • String ID:
                                                                      • API String ID: 2559512979-0
                                                                      • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                      • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                      Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 311 4076e4-4076e7 RegCloseKey 306->311 307->308 310 4077ec-4077f7 RegCloseKey 308->310 309->309 312 407546-40754b 309->312 310->287 311->291 312->297 313 407551-40756b call 40ee95 312->313 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->310 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 382 4077e0-4077e2 378->382 383 4077de 378->383 379->378 382->359 383->382
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 3433985886-3108538426
                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                      Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 448 407258 436->448 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 448->437 458 4072dd-4072f4 call 40ed23 451->458 459 4072cd-4072d8 RegCloseKey 451->459 454 4072aa-4072b3 452->454 455 40729c-4072a9 call 40ef00 452->455 454->404 455->454 463 407301 458->463 464 4072f6-4072ff 458->464 459->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 471 40732d-407330 468->471 472 40731f-40732c call 40ef00 468->472 475 4073d5-4073e2 RegCloseKey 469->475 476 40735f-407365 469->476 471->454 472->471 479 4073f2-4073f7 475->479 480 4073e4-4073f1 call 40ef00 475->480 476->475 478 407367-407370 476->478 478->475 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->475 493->492
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                      • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                      • API String ID: 4293430545-98143240
                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                      Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 588 4067ed-40680b ReadFile 585->588 587 40696e-406971 CloseHandle 586->587 587->583 588->586 589 406811-406824 SetFilePointer 588->589 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->587 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 608 406900-40690b SetFilePointer 598->608 599->598 602 4068bd-4068c3 600->602 601->602 604 4068c5 602->604 605 4068c8-4068ce 602->605 604->605 605->594 607 4068d0 605->607 607->593 609 40695a-406969 call 40ec2e 608->609 610 40690d-406920 ReadFile 608->610 609->587 610->609 611 406922-406958 610->611 611->587
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                      • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 2622201749-0
                                                                      • Opcode ID: 15625d6cb101808bdea6f9395adb21b3a8eafb42943f0309c545178590061202
                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                      • Opcode Fuzzy Hash: 15625d6cb101808bdea6f9395adb21b3a8eafb42943f0309c545178590061202
                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                      Function 006E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 640 6e003c-6e0047 641 6e004c-6e0263 call 6e0a3f call 6e0e0f call 6e0d90 VirtualAlloc 640->641 642 6e0049 640->642 657 6e028b-6e0292 641->657 658 6e0265-6e0289 call 6e0a69 641->658 642->641 660 6e02a1-6e02b0 657->660 661 6e02ce-6e03c2 VirtualProtect call 6e0cce call 6e0ce7 658->661 660->661 662 6e02b2-6e02cc 660->662 669 6e03d1-6e03e0 661->669 662->660 670 6e0439-6e04b8 VirtualFree 669->670 671 6e03e2-6e0437 call 6e0ce7 669->671 673 6e04be-6e04cd 670->673 674 6e05f4-6e05fe 670->674 671->669 678 6e04d3-6e04dd 673->678 675 6e077f-6e0789 674->675 676 6e0604-6e060d 674->676 681 6e078b-6e07a3 675->681 682 6e07a6-6e07b0 675->682 676->675 679 6e0613-6e0637 676->679 678->674 683 6e04e3-6e0505 LoadLibraryA 678->683 688 6e063e-6e0648 679->688 681->682 684 6e086e-6e08be LoadLibraryA 682->684 685 6e07b6-6e07cb 682->685 686 6e0517-6e0520 683->686 687 6e0507-6e0515 683->687 696 6e08c7-6e08f9 684->696 689 6e07d2-6e07d5 685->689 690 6e0526-6e0547 686->690 687->690 688->675 691 6e064e-6e065a 688->691 692 6e07d7-6e07e0 689->692 693 6e0824-6e0833 689->693 694 6e054d-6e0550 690->694 691->675 695 6e0660-6e066a 691->695 697 6e07e4-6e0822 692->697 698 6e07e2 692->698 702 6e0839-6e083c 693->702 699 6e0556-6e056b 694->699 700 6e05e0-6e05ef 694->700 701 6e067a-6e0689 695->701 703 6e08fb-6e0901 696->703 704 6e0902-6e091d 696->704 697->689 698->693 705 6e056f-6e057a 699->705 706 6e056d 699->706 700->678 707 6e068f-6e06b2 701->707 708 6e0750-6e077a 701->708 702->684 709 6e083e-6e0847 702->709 703->704 711 6e057c-6e0599 705->711 712 6e059b-6e05bb 705->712 706->700 713 6e06ef-6e06fc 707->713 714 6e06b4-6e06ed 707->714 708->688 715 6e084b-6e086c 709->715 716 6e0849 709->716 723 6e05bd-6e05db 711->723 712->723 717 6e06fe-6e0748 713->717 718 6e074b 713->718 714->713 715->702 716->684 717->718 718->701 723->694
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 006E024D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: cess$kernel32.dll
                                                                      • API String ID: 4275171209-1230238691
                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction ID: 0e35a6c12bade70b1b465d455dd422e68b4f7a7e37c090aa8174b37a3a36a116
                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction Fuzzy Hash: 12527874A01269DFDB64CF59C984BA8BBB1BF09304F1480D9E90DAB351DB70AE85DF14
                                                                      Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4131120076-2980165447
                                                                      • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                      • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                      Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 408151869-2980165447
                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                      Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 761 406a5b-406a5f 759->761 762 406a0a-406a0d 760->762 763 406a3c-406a3e 760->763 764 406a10-406a2e WriteFile 762->764 763->761 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->761 766->765 767 406a35-406a3a 766->767 767->763 767->764
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID: ,k@
                                                                      • API String ID: 3934441357-1053005162
                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                      Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 773 40930b-40930f 770->773 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 783 40922e-409230 775->783 777 409250-409270 call 40ee08 776->777 778 40924b 776->778 784 409272-40927f 777->784 785 4092dd-4092e1 777->785 778->777 786 409233-409238 783->786 787 409281-409285 784->787 788 40929b-40929e 784->788 789 4092e3-4092e5 785->789 790 4092e7-4092e8 785->790 786->786 791 40923a-40923c 786->791 787->787 792 409287 787->792 794 4092a0 788->794 795 40928e-409293 788->795 789->790 793 4092ea-4092ef 789->793 790->785 791->776 792->788 798 4092f1-4092f6 Sleep 793->798 799 4092fc-409302 793->799 800 4092a8-4092ab 794->800 796 409295-409298 795->796 797 409289-40928c 795->797 796->800 803 40929a 796->803 797->795 797->803 798->799 799->770 799->771 801 4092a2-4092a5 800->801 802 4092ad-4092b0 800->802 804 4092b2 801->804 806 4092a7 801->806 802->804 805 4092bd 802->805 803->788 807 4092b5-4092b9 804->807 808 4092bf-4092db ShellExecuteA 805->808 806->800 807->807 809 4092bb 807->809 808->785 810 409310-409324 808->810 809->808 810->773
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-0
                                                                      • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                      • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                      Function 006E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 824 6e0e0f-6e0e24 SetErrorMode * 2 825 6e0e2b-6e0e2c 824->825 826 6e0e26 824->826 826->825
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,006E0223,?,?), ref: 006E0E19
                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,006E0223,?,?), ref: 006E0E1E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction ID: 5910df1618b4d58ae791dba76823746767ea92d9917d6bbb5d2ec6216bae3b2e
                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction Fuzzy Hash: 4AD0123114522877D7002A95DC09BCD7B1CDF05B62F008421FB0DD9180C7B0994046E5
                                                                      Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                      APIs
                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                      • String ID:
                                                                      • API String ID: 1823874839-0
                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                      Function 0071789D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007178EE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2039090493.0000000000713000.00000040.00000020.00020000.00000000.sdmp, Offset: 00713000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_713000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction ID: 721d02ed8c44b5520554b63be172a62b7abfeb8004f60ff90cef98a8cb4d3ff9
                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction Fuzzy Hash: A8113F79A00208EFDB01DF98C985E98BBF5EF08351F158094F9489B362D375EA90DF90

                                                                      Non-executed Functions

                                                                      Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                      • API String ID: 562065436-3791576231
                                                                      • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                      • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                      • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                      • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                      Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                      Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                      Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                      Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-3716895483
                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                      Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                      Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                      • select.WS2_32 ref: 00402B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                      Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2404124870-2980165447
                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                      Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                      Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID: *p@
                                                                      • API String ID: 3429775523-2474123842
                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                      Function 006E65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 006E65F6
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 006E6610
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 006E6631
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 006E6652
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction ID: 9c946228880120cfc26f461bf6be6b8ca6857194d986ab6834b25876a5756b0c
                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction Fuzzy Hash: 86119171611358BFDB219F66DC0AF9B3FA9EB047A5F104024F908A7291D7B1DD0086A4
                                                                      Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                      Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                      • String ID:
                                                                      • API String ID: 3754425949-0
                                                                      • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                      • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                      Function 006E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: .$GetProcAddress.$l
                                                                      • API String ID: 0-2784972518
                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                      • Instruction ID: 00360f923b02206ba4e0abf178a40f94604574d281b8d41a332c48d6b120a506
                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                      • Instruction Fuzzy Hash: 343139B6901749DFEB10CF99C884AADBBF6FF48324F14504AD441A7312D7B1EA85CBA4
                                                                      Function 007174BB Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2039090493.0000000000713000.00000040.00000020.00020000.00000000.sdmp, Offset: 00713000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_713000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Mtq
                                                                      • API String ID: 0-3948034777
                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                      • Instruction ID: cbe5fe23906aeb980df5cbdd8d2c942ea7892c8f7dcbf282c109050f0786c6b3
                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                      • Instruction Fuzzy Hash: 0B117072344100AFD754DE59DC81FE673EAEB89360B298055ED04CB396D679EC51C760
                                                                      Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                      Function 006E0D90 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                      • Instruction ID: 4abe33874204280607049c3fe1d50a54ae18a97c1e974f731f868581595d7917
                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                      • Instruction Fuzzy Hash: AB0184766027448FEB21CF65CC04BEA33A6EF85315F4544B5D506D7245E7B4A9818F90
                                                                      Function 006E9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32 ref: 006E9E6D
                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 006E9FE1
                                                                      • lstrcat.KERNEL32(?,?), ref: 006E9FF2
                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 006EA004
                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 006EA054
                                                                      • DeleteFileA.KERNEL32(?), ref: 006EA09F
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 006EA0D6
                                                                      • lstrcpy.KERNEL32 ref: 006EA12F
                                                                      • lstrlen.KERNEL32(00000022), ref: 006EA13C
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 006E9F13
                                                                        • Part of subcall function 006E7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 006E7081
                                                                        • Part of subcall function 006E6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\xdcafaam,006E7043), ref: 006E6F4E
                                                                        • Part of subcall function 006E6F30: GetProcAddress.KERNEL32(00000000), ref: 006E6F55
                                                                        • Part of subcall function 006E6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 006E6F7B
                                                                        • Part of subcall function 006E6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 006E6F92
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 006EA1A2
                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 006EA1C5
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 006EA214
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 006EA21B
                                                                      • GetDriveTypeA.KERNEL32(?), ref: 006EA265
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 006EA29F
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 006EA2C5
                                                                      • lstrcat.KERNEL32(?,00000022), ref: 006EA2D9
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 006EA2F4
                                                                      • wsprintfA.USER32 ref: 006EA31D
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 006EA345
                                                                      • lstrcat.KERNEL32(?,?), ref: 006EA364
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 006EA387
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 006EA398
                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 006EA1D1
                                                                        • Part of subcall function 006E9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 006E999D
                                                                        • Part of subcall function 006E9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 006E99BD
                                                                        • Part of subcall function 006E9966: RegCloseKey.ADVAPI32(?), ref: 006E99C6
                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 006EA3DB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 006EA3E2
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 006EA41D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                      • String ID: "$"$"$D$P$\
                                                                      • API String ID: 1653845638-2605685093
                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction ID: ec989bdf308fcbbf570445a3e97b7d5386daad27de9396d6f05636883919171c
                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction Fuzzy Hash: F7F161B1D41399AFDF11DBA18C49EEF7BBDAF08304F0440AAF605E2142E7759A848F65
                                                                      Function 006E7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 006E7D21
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006E7D46
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006E7D7D
                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 006E7DA2
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 006E7DC0
                                                                      • EqualSid.ADVAPI32(?,?), ref: 006E7DD1
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 006E7DE5
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006E7DF3
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 006E7E03
                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 006E7E12
                                                                      • LocalFree.KERNEL32(00000000), ref: 006E7E19
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E7E35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2976863881-1403908072
                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction ID: 98d9475f0805ae9ccb6746b0299c7d252e773d1dd03c7c51d92381fdb721e58c
                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction Fuzzy Hash: 2EA14E71901259AFDF11CFA1DD88FEEBFBAFB08300F148469E505E6250EB758A85CB64
                                                                      Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2976863881-1403908072
                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                      Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                      Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                      Function 006E7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006E7A96
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006E7ACD
                                                                      • GetLengthSid.ADVAPI32(?), ref: 006E7ADF
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 006E7B01
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 006E7B1F
                                                                      • EqualSid.ADVAPI32(?,?), ref: 006E7B39
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 006E7B4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006E7B58
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 006E7B68
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 006E7B77
                                                                      • LocalFree.KERNEL32(00000000), ref: 006E7B7E
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E7B9A
                                                                      • GetAce.ADVAPI32(?,?,?), ref: 006E7BCA
                                                                      • EqualSid.ADVAPI32(?,?), ref: 006E7BF1
                                                                      • DeleteAce.ADVAPI32(?,?), ref: 006E7C0A
                                                                      • EqualSid.ADVAPI32(?,?), ref: 006E7C2C
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 006E7CB1
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 006E7CBF
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 006E7CD0
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 006E7CE0
                                                                      • LocalFree.KERNEL32(00000000), ref: 006E7CEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: f2672d8ebc7670fe1fca00435faed2c31c37168a26eebc5ffcde939c34951506
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 58817C7190524AAFDB21CFA1DD84FEEBBBDFF08704F24806AE505E6250D7358A41CBA4
                                                                      Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                      • API String ID: 237177642-1678164370
                                                                      • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                      • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                      Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 835516345-270533642
                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                      Function 006E858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 006E865A
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 006E867B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 006E86A8
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 006E86B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 237177642-3108538426
                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction ID: 763583c0531e8b4b98b2e24b5f8ae6afc2a3adb2584622b5c02b68c4dcfc1314
                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction Fuzzy Hash: 83C1C2B1902389BEEB11ABA5DD85EEF7BBEEB04300F144069F508E7151EB714A848B65
                                                                      Function 006E14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 006E1601
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 006E17D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $<$@$D
                                                                      • API String ID: 1628651668-1974347203
                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction ID: e4273ee04de08f321fd11cc54a853739566c0c39174341244ecf5730f16185af
                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction Fuzzy Hash: 28F1BDB11093819FD720CF65C888BABB7E6FB8A700F00892DF5969B390D7B4D944DB56
                                                                      Function 006E7666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006E76D9
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 006E7757
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 006E778F
                                                                      • ___ascii_stricmp.LIBCMT ref: 006E78B4
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E794E
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 006E796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E797E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E79AC
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E7A56
                                                                        • Part of subcall function 006EF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,006E772A,?), ref: 006EF414
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 006E79F6
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E7A4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "$PromptOnSecureDesktop
                                                                      • API String ID: 3433985886-3108538426
                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction ID: 65e7d35e84a68d59f56e3d6b82484250ee158211c81a024e04dcec1447754d7a
                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction Fuzzy Hash: 70C1C472905389AFEB11DBA6DC45FEE7BBAEF45310F1000A5F504E6191EB71DE808B64
                                                                      Function 006E2CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006E2CED
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 006E2D07
                                                                      • htons.WS2_32(00000000), ref: 006E2D42
                                                                      • select.WS2_32 ref: 006E2D8F
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 006E2DB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 006E2E62
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 127016686-0
                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction ID: 59c10e3a67090f57e90e486e3f7e7827f746cf4068370260393112e0ebc5ecf1
                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction Fuzzy Hash: E761F271505396ABC3209F62DC09BABBBFEFF88341F144819F98497251D7B4D8818BA6
                                                                      Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                      Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                      Function 006E958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?), ref: 006E95A7
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006E95D5
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 006E95DC
                                                                      • wsprintfA.USER32 ref: 006E9635
                                                                      • wsprintfA.USER32 ref: 006E9673
                                                                      • wsprintfA.USER32 ref: 006E96F4
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 006E9758
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006E978D
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006E97D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3696105349-2980165447
                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction ID: 84dbe16e0c46d0ee00c72ac732030e4d5bddab5e9cb044500156b12ff1fd7f1c
                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction Fuzzy Hash: 9CA17FB190138CABEF21DFA2CC45FDA3BAEEF05740F10402AF91596152E775D9848BA5
                                                                      Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-142018493
                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                      Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                      Function 006E1FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 006E202D
                                                                      • GetSystemInfo.KERNEL32(?), ref: 006E204F
                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 006E206A
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 006E2071
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 006E2082
                                                                      • GetTickCount.KERNEL32 ref: 006E2230
                                                                        • Part of subcall function 006E1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 006E1E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                      • API String ID: 4207808166-1391650218
                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction ID: aa3c90664f783601e5eaff5e2649694df147b659b862f0fcc71a4666218de20d
                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction Fuzzy Hash: 2C514EB15013C46FE370AF768C86FA77AEDEF44704F00092DFA9682242D7B59984C769
                                                                      Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                      Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                      Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                      Function 006E3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 006E3068
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 006E3078
                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 006E3095
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006E30B6
                                                                      • htons.WS2_32(00000035), ref: 006E30EF
                                                                      • inet_addr.WS2_32(?), ref: 006E30FA
                                                                      • gethostbyname.WS2_32(?), ref: 006E310D
                                                                      • HeapFree.KERNEL32(00000000), ref: 006E314D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: iphlpapi.dll
                                                                      • API String ID: 2869546040-3565520932
                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction ID: dd02d115eb986b447db568841f8ae4ea3cc28542cddb16bc959b6863897b3e38
                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction Fuzzy Hash: C331D631A01396BBDB119BBA9C4CAEE77B9EF04360F148129F518E3390DB74DE418B58
                                                                      Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 3560063639-3847274415
                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                      Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                      • API String ID: 1082366364-2834986871
                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                      Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D$PromptOnSecureDesktop
                                                                      • API String ID: 2981417381-1403908072
                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                      Function 006E6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 006E67C3
                                                                      • htonl.WS2_32(?), ref: 006E67DF
                                                                      • htonl.WS2_32(?), ref: 006E67EE
                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 006E68F1
                                                                      • ExitProcess.KERNEL32 ref: 006E69BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                      • String ID: except_info$localcfg
                                                                      • API String ID: 1150517154-3605449297
                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction ID: 96d386105e937650082867a9e844b2d9706c23e1c6e0cdaec118c5ab09bbdc58
                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction Fuzzy Hash: 6A616F71940348AFDB609FB4DC45FEA77E9FB08300F24806AF96DD2161EA7599908F54
                                                                      Function 006EF57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(006ECC84), ref: 006EF5B4
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 006EF5CE
                                                                      • closesocket.WS2_32(00000000), ref: 006EF5DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction ID: 6ac1b7f1908eb07e496631bdc137d5c68fadac1c5b3c3ac7db9e635618895afa
                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction Fuzzy Hash: D4318C72901258ABDB10DFA6DC89DEF7BBDEF89310F10457AF905E3150E7708A818BA4
                                                                      Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                      • wsprintfA.USER32 ref: 00407036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                      Function 006E2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?), ref: 006E2FA1
                                                                      • LoadLibraryA.KERNEL32(?), ref: 006E2FB1
                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 006E2FC8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 006E3000
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006E3007
                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 006E3032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: dnsapi.dll
                                                                      • API String ID: 1242400761-3175542204
                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction ID: e485de5fb5896a419eab30a7b8bcf37f21a8a708fcc80dba669f705aa68e4c51
                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction Fuzzy Hash: 1B21A471942366BBCB219B56DC489EEBBBEEF08B10F104421F901E7240D7B49E8187D4
                                                                      Function 006E6F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\xdcafaam,006E7043), ref: 006E6F4E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 006E6F55
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 006E6F7B
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 006E6F92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\xdcafaam
                                                                      • API String ID: 1082366364-2732631617
                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction ID: f271817cf85ab9bbd91f4cc3e5447ea0bb9447f0653c2434b092aada9c237fc3
                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction Fuzzy Hash: 5C213B617463C07AF7225733AC89FF73E4F8B62750F1840A9F404D62D1DAD988D5826D
                                                                      Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3609698214-2980165447
                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                      Function 006E92CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 006E92E2
                                                                      • wsprintfA.USER32 ref: 006E9350
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006E9375
                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 006E9389
                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 006E9394
                                                                      • CloseHandle.KERNEL32(00000000), ref: 006E939B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2439722600-2980165447
                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction ID: 513f6f6276884c5e1f0c404ed35577fd332fcdbfc705c736254cc3dbbff01eaa
                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction Fuzzy Hash: 24119AB17412547BE7606732DC0EFEF3A6EDFC4B10F00C069BB09E5091EEB54A418668
                                                                      Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2439722600-2980165447
                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                      Function 006E99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 006E9A18
                                                                      • GetThreadContext.KERNEL32(?,?), ref: 006E9A52
                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 006E9A60
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 006E9A98
                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 006E9AB5
                                                                      • ResumeThread.KERNEL32(?), ref: 006E9AC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction ID: 00d10d9dd3cf6aaa85b3239dfd9db4581f9c6e5b5073a3e6ce686ed0673c445c
                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction Fuzzy Hash: CE213BB1A02219BBDB119BA6DC09EEF7BBDEF04750F404061BA19E6150EB758A44CBA4
                                                                      Function 006E1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(004102D8), ref: 006E1C18
                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 006E1C26
                                                                      • GetProcessHeap.KERNEL32 ref: 006E1C84
                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 006E1C9D
                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 006E1CC1
                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 006E1D02
                                                                      • FreeLibrary.KERNEL32(?), ref: 006E1D0B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                      • String ID:
                                                                      • API String ID: 2324436984-0
                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction ID: b12b1b3e8d966e51d78f8f3a7fe65995ddb358e8adebbeb33f7157c2034f37ed
                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction Fuzzy Hash: 27313E31E01259BFCB119FA5DC888EEBABAEF46711B24447AE501E7210D7B54E80EB94
                                                                      Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1586453840-2980165447
                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                      Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1371578007-2980165447
                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                      Function 006E6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 006E6CE4
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 006E6D22
                                                                      • GetLastError.KERNEL32 ref: 006E6DA7
                                                                      • CloseHandle.KERNEL32(?), ref: 006E6DB5
                                                                      • GetLastError.KERNEL32 ref: 006E6DD6
                                                                      • DeleteFileA.KERNEL32(?), ref: 006E6DE7
                                                                      • GetLastError.KERNEL32 ref: 006E6DFD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                      • String ID:
                                                                      • API String ID: 3873183294-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: 85683c3e808fad4b7ccbb8914c951943efdea4a7793caa1b3156173478acfe02
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 5A312372A02389BFCB01DFA5DD48ADEBF7AEF58340F148065F211E3261D7708A418B65
                                                                      Function 006EE2FC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,006EE50A,00000000,00000000,00000000,00020106,00000000,006EE50A,00000000,000000E4), ref: 006EE319
                                                                      • RegSetValueExA.ADVAPI32(006EE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 006EE38E
                                                                      • RegDeleteValueA.ADVAPI32(006EE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dn), ref: 006EE3BF
                                                                      • RegCloseKey.ADVAPI32(006EE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dn,006EE50A), ref: 006EE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: PromptOnSecureDesktop$Dn
                                                                      • API String ID: 2667537340-2952939467
                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction ID: 567a8b2987eb3296431d5b9109ca6415370ed496ec3dfec6b0b9d6545c83943b
                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction Fuzzy Hash: D2215E71A0125DBBDF209FA5EC89EDE7F7AEF08750F008065F904E6151E2728A54DBA0
                                                                      Function 006E93AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006E93C6
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 006E93CD
                                                                      • CharToOemA.USER32(?,?), ref: 006E93DB
                                                                      • wsprintfA.USER32 ref: 006E9410
                                                                        • Part of subcall function 006E92CB: GetTempPathA.KERNEL32(00000400,?), ref: 006E92E2
                                                                        • Part of subcall function 006E92CB: wsprintfA.USER32 ref: 006E9350
                                                                        • Part of subcall function 006E92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 006E9375
                                                                        • Part of subcall function 006E92CB: lstrlen.KERNEL32(?,?,00000000), ref: 006E9389
                                                                        • Part of subcall function 006E92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 006E9394
                                                                        • Part of subcall function 006E92CB: CloseHandle.KERNEL32(00000000), ref: 006E939B
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 006E9448
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3857584221-2980165447
                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction ID: 308c0d05a818fdad1731cb7ed95ef9a3cc1bc2685eff2045f2ffb5dad82e478e
                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction Fuzzy Hash: 1A0192F69002587BDB20A7619D49EDF3B7CDB85701F0000A5BB09E2080DAB497C58F75
                                                                      Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3857584221-2980165447
                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                      Function 006EAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: $localcfg
                                                                      • API String ID: 1659193697-2018645984
                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction ID: d60557c727d6ab582ed2e570b4d2a722c7184c8f03001642f48a10603414e06c
                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction Fuzzy Hash: 4C714D71A023C8ABDF218BD6DC85FEE376B9F00714F34406AF905A6191DA61BDC4875B
                                                                      Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                      Function 006EE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 006EDF6C: GetCurrentThreadId.KERNEL32 ref: 006EDFBA
                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 006EE8FA
                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,006E6128), ref: 006EE950
                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 006EE989
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 2920362961-1846390581
                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction ID: 8e1fee7c1a872965d0454d35fcf49451b94f0c7c68f3a9a398cf1ef2f19f465b
                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction Fuzzy Hash: 7B31CF31602785DFCF71CF26C884BE67BE6EB15720F10892AE55687652E372EC80CB85
                                                                      Function 006E6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction ID: b5461718b341e8b26fa955c4567864dec0a7e2870d7f5e7d9098f34a90719dfb
                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction Fuzzy Hash: 6D218E7610A355BFDB109B72FC49EDF3FAEDB483A0B208465F502D1091EB719A009678
                                                                      Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                      Function 006EC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 006EC6B4
                                                                      • InterlockedIncrement.KERNEL32(006EC74B), ref: 006EC715
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,006EC747), ref: 006EC728
                                                                      • CloseHandle.KERNEL32(00000000,?,006EC747,00413588,006E8A77), ref: 006EC733
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 1026198776-1857712256
                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction ID: c52be29b7f79b3ed000d51a58abe81a842cad18743b8440623c85279e3e55273
                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction Fuzzy Hash: E4514DB1A02B818FD7648F6AC5C552BBBEAFB48310B50593EE18BC7B90D774F8418B14
                                                                      Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 124786226-2980165447
                                                                      • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                      • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                      Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 2667537340-2980165447
                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                      Function 006E71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006E71E1
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 006E7228
                                                                      • LocalFree.KERNEL32(?,?,?), ref: 006E7286
                                                                      • wsprintfA.USER32 ref: 006E729D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                      • String ID: |
                                                                      • API String ID: 2539190677-2343686810
                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction ID: 48085b1cf23f7f7bc66d9fb16c8bbc81befcffd9b99cb1fe284052c8d2a92e65
                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction Fuzzy Hash: 41316972A04248BFDB01DFA9DC45ADA3BADEF04310F14C066F909DB201EA75DB488B94
                                                                      Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                      Function 006EB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 006EB51A
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006EB529
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 006EB548
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 006EB590
                                                                      • wsprintfA.USER32 ref: 006EB61E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                      • String ID:
                                                                      • API String ID: 4026320513-0
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 33d2410a7dbedb11b6cf6c3c52f739016d6ce386846e305fe555283ba7583f21
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: 57511FB1D0125CAACF14DFD5D8895EEBBBABF48304F10816AF505A6150E7B84AC9CF98
                                                                      Function 006E62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 006E6303
                                                                      • LoadLibraryA.KERNEL32(?), ref: 006E632A
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 006E63B1
                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 006E6405
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 3498078134-0
                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction ID: 13a4f0acc18cf1ee765016eb79ce1498e482502868fd118256685dbae9d7b069
                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction Fuzzy Hash: B1417B71A01349EFDB14CF5AC884AA9B7BAEF24394F248169F815D7390E731ED45CB50
                                                                      Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                      Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                      • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: A$ A
                                                                      • API String ID: 3343386518-686259309
                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                      Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1128258776-0
                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                      Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                      Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                      Function 006EE3DE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,Dn,00000000,00000000,00000000), ref: 006EE470
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 006EE484
                                                                        • Part of subcall function 006EE2FC: RegCreateKeyExA.ADVAPI32(80000001,006EE50A,00000000,00000000,00000000,00020106,00000000,006EE50A,00000000,000000E4), ref: 006EE319
                                                                        • Part of subcall function 006EE2FC: RegSetValueExA.ADVAPI32(006EE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 006EE38E
                                                                        • Part of subcall function 006EE2FC: RegDeleteValueA.ADVAPI32(006EE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dn), ref: 006EE3BF
                                                                        • Part of subcall function 006EE2FC: RegCloseKey.ADVAPI32(006EE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,Dn,006EE50A), ref: 006EE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: PromptOnSecureDesktop$Dn
                                                                      • API String ID: 4151426672-2952939467
                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction ID: 6ecd8b87b80772f8a002a09d31838002b490e3a3e914eefbc39d5d96c760ecca
                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction Fuzzy Hash: 7741BAB1901394BAEB206F528C46FDB3F6EDB04764F148029FA09941D2E7B6CA50D6B9
                                                                      Function 006EE795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 006EDF6C: GetCurrentThreadId.KERNEL32 ref: 006EDFBA
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,006EA6AC), ref: 006EE7BF
                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,006EA6AC), ref: 006EE7EA
                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,006EA6AC), ref: 006EE819
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1396056608-2980165447
                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                      • Instruction ID: 38e582e900c9ff3951e4cf1036c137279629c0b02d1dc2472de33d233a4e05db
                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                      • Instruction Fuzzy Hash: 0B21EAF1A423417AE66077635C0BFDB3E1EDB65760F10002CBA0AA51D3EA56D45082B9
                                                                      Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                      • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 3683885500-2980165447
                                                                      • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                      • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                      Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 2574300362-1087626847
                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                      Function 006E7665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006E76D9
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 006E796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E797E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseEnumOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 1332880857-2980165447
                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                      • Instruction ID: a5968a76fc28105d66cebdf6ca9fbdc4f713fb9be4dfc1ab8adef3f8a5f3485a
                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                      • Instruction Fuzzy Hash: C7110370A05289AFDB118FAEDC45FEFBF7AEF81304F140165F511EA291E6B18D408B60
                                                                      Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2777991786-2393279970
                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                      Function 006E9966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 006E999D
                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 006E99BD
                                                                      • RegCloseKey.ADVAPI32(?), ref: 006E99C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDeleteOpenValue
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 849931509-2980165447
                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                      • Instruction ID: 45e31c42573e0f217caeff6035439d11f2ccea26d22f28786ba6018c66e99220
                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                      • Instruction Fuzzy Hash: 83F0F6B2681208BBF7106B51EC07FDB3E2DDB94B10F100074FA05B9082F6E59E9082BD
                                                                      Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseDeleteOpenValue
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 849931509-2980165447
                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                      Function 006E28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg$u6A
                                                                      • API String ID: 1594361348-1940331995
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: fa9cc74874ea4fc951c224d9e4bd57ab69b6574163e41e90b0ed7465bcb63900
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: E2E08C306052528FDB008B29F848AC637ABAF0A330F118181F040C32A0C7349CC09640
                                                                      Function 006E69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 006E69E5
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 006E6A26
                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 006E6A3A
                                                                      • CloseHandle.KERNEL32(000000FF), ref: 006E6BD8
                                                                        • Part of subcall function 006EEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,006E1DCF,?), ref: 006EEEA8
                                                                        • Part of subcall function 006EEE95: HeapFree.KERNEL32(00000000), ref: 006EEEAF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 3384756699-0
                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction ID: 876ceefd37b8688be2c5da19b0d916379f81a2691cf6c5f27218bfa1526ca01d
                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction Fuzzy Hash: 7B71357190126DEFDB108FA5CC80AEEBBBAFB04354F1045AAF515E6290D7309E92DF60
                                                                      Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                      Function 006E417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006E41AB
                                                                      • GetLastError.KERNEL32 ref: 006E41B5
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 006E41C6
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006E41D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 09b89624fc6c1051cdbf0717199652f4a91ab3d9a9150d1b35613a702019c13c
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: 66014C7651220AAFDF01DFA1ED84BEF3B6DEB18355F004061F901E2150DB70DA908BB5
                                                                      Function 006E41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006E421F
                                                                      • GetLastError.KERNEL32 ref: 006E4229
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 006E423A
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006E424D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: a8326d53610f7aa24ff2328e6c5ebbd08087bd18e504ba1226bf982f552e0420
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: 4E01E972511209AFDF01DFA1ED84BEE7B6DEB08355F108061FA01E2150DB70AA549BB6
                                                                      Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                      Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                      Function 006EE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 006EE066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 1534048567-1846390581
                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction ID: 31eb5f9f7b7f59bac6cde67c0cd88d910d484f38078e23d503a28f954589ef9c
                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction Fuzzy Hash: BCF09631201752DBCB30CF26D884AC2B7EAFF15321B44862BE154C3260D3B5E8E9CB55
                                                                      Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                      Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                      Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                      Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                      Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 4151426672-2980165447
                                                                      • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                      • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                      Function 006E8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 006E83C6
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 006E8477
                                                                        • Part of subcall function 006E69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 006E69E5
                                                                        • Part of subcall function 006E69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 006E6A26
                                                                        • Part of subcall function 006E69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 006E6A3A
                                                                        • Part of subcall function 006EEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,006E1DCF,?), ref: 006EEEA8
                                                                        • Part of subcall function 006EEE95: HeapFree.KERNEL32(00000000), ref: 006EEEAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 359188348-2980165447
                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction ID: 72602e6fd30316aa79604930419cc075cb7a92b1bb7738768d98fcc026bf06e4
                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction Fuzzy Hash: 7E4196B290238AFFDB10EBA29D81DFF77AEEB00340F14446AF508D7191FA715A548B54
                                                                      Function 006EE631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,006EE859,00000000,00020119,006EE859,PromptOnSecureDesktop), ref: 006EE64D
                                                                      • RegCloseKey.ADVAPI32(006EE859,?,?,?,?,000000C8,000000E4), ref: 006EE787
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseOpen
                                                                      • String ID: PromptOnSecureDesktop
                                                                      • API String ID: 47109696-2980165447
                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                      • Instruction ID: 5aa24a7e2aae3367eaec1bcf3839523e1fa27f217ded861692a09ce4c6928544
                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                      • Instruction Fuzzy Hash: 8C4137B2D0025DBFDF11AF95DC81DEEBBBAEB14304F104466F900A6251E3729A55CB64
                                                                      Function 006EAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 006EAFFF
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 006EB00D
                                                                        • Part of subcall function 006EAF6F: gethostname.WS2_32(?,00000080), ref: 006EAF83
                                                                        • Part of subcall function 006EAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 006EAFE6
                                                                        • Part of subcall function 006E331C: gethostname.WS2_32(?,00000080), ref: 006E333F
                                                                        • Part of subcall function 006E331C: gethostbyname.WS2_32(?), ref: 006E3349
                                                                        • Part of subcall function 006EAA0A: inet_ntoa.WS2_32(00000000), ref: 006EAA10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %OUTLOOK_BND_
                                                                      • API String ID: 1981676241-3684217054
                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction ID: f31e0ca66c7703fc96d2d2c6df0c9d0a7a6a481ec92bc3c099938086cecd3616
                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction Fuzzy Hash: B041537290034CABDB65EFA1DC46EEF3B6DFF04304F24442AF92492152EB75E6548B58
                                                                      Function 006E9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 006E9536
                                                                      • Sleep.KERNEL32(000001F4), ref: 006E955D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-3916222277
                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction ID: eb1bc0d46b14176002b3c18f98ea6a476b397a217247a3141f1da91ee177880c
                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction Fuzzy Hash: B741F5718053C5AEEB378B66D8887F63BE69F02314F2441A5D486972D2E6B44D82C771
                                                                      Function 006EBC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 006EB9D9
                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 006EBA3A
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 006EBA94
                                                                      • GetTickCount.KERNEL32 ref: 006EBB79
                                                                      • GetTickCount.KERNEL32 ref: 006EBB99
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 006EBE15
                                                                      • closesocket.WS2_32(00000000), ref: 006EBEB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 1869671989-2903620461
                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction ID: f7fd1cbddb449231b1c71726d046be1402d9e5760effb82d8f9056a912f36867
                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction Fuzzy Hash: FB31B171801388DFDF25DFA6DC84AEE77BAEB48700F20406AFA2482161DB70DA85CF14
                                                                      Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                      Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                      Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                      Function 006E709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 006E70BC
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 006E70F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID: |
                                                                      • API String ID: 2370142434-2343686810
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: 3842949b3b6fe2451c09667d9a301e924b2a0ce67e15df2437520d2a9468f578
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: C7113C7290539CEBDF11CFD5DC84ADEB7BEAB05301F1841A6E501E7190E6709B88EBA1
                                                                      Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2777991786-1857712256
                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                      Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                      Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                      Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                      Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                      Function 006E3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 006E2F88: GetModuleHandleA.KERNEL32(?), ref: 006E2FA1
                                                                        • Part of subcall function 006E2F88: LoadLibraryA.KERNEL32(?), ref: 006E2FB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E31DA
                                                                      • HeapFree.KERNEL32(00000000), ref: 006E31E1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038872801.00000000006E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_6e0000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction ID: d0140186e823e0ae0f7f37513e77d73466cd0c3a2d84e3e0316d31c938e8cd96
                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction Fuzzy Hash: 5551AA3190139AAFCB019F65D8889EAB776FF15300F2441A8ED9687311E732DB59CB94
                                                                      Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2038594977.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2038594977.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_lYWiDKe1In.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                      Execution Graph

                                                                      Execution Coverage:2.7%
                                                                      Dynamic/Decrypted Code Coverage:2.1%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:1574
                                                                      Total number of Limit Nodes:12
                                                                      execution_graph 14805 409961 RegisterServiceCtrlHandlerA 14806 40997d 14805->14806 14813 4099cb 14805->14813 14815 409892 14806->14815 14808 40999a 14809 4099ba 14808->14809 14810 409892 SetServiceStatus 14808->14810 14812 409892 SetServiceStatus 14809->14812 14809->14813 14811 4099aa 14810->14811 14811->14809 14818 4098f2 14811->14818 14812->14813 14816 4098c2 SetServiceStatus 14815->14816 14816->14808 14820 4098f6 14818->14820 14821 409904 Sleep 14820->14821 14823 409917 14820->14823 14826 404280 CreateEventA 14820->14826 14821->14820 14822 409915 14821->14822 14822->14823 14825 409947 14823->14825 14853 40977c 14823->14853 14825->14809 14827 4042a5 14826->14827 14828 40429d 14826->14828 14867 403ecd 14827->14867 14828->14820 14830 4042b0 14871 404000 14830->14871 14833 4043c1 CloseHandle 14833->14828 14834 4042ce 14877 403f18 WriteFile 14834->14877 14839 4043ba CloseHandle 14839->14833 14840 404318 14841 403f18 4 API calls 14840->14841 14842 404331 14841->14842 14843 403f18 4 API calls 14842->14843 14844 40434a 14843->14844 14885 40ebcc GetProcessHeap HeapAlloc 14844->14885 14847 403f18 4 API calls 14848 404389 14847->14848 14888 40ec2e 14848->14888 14851 403f8c 4 API calls 14852 40439f CloseHandle CloseHandle 14851->14852 14852->14828 14917 40ee2a 14853->14917 14856 4097c2 14858 4097d4 Wow64GetThreadContext 14856->14858 14857 4097bb 14857->14825 14859 409801 14858->14859 14860 4097f5 14858->14860 14919 40637c 14859->14919 14861 4097f6 TerminateProcess 14860->14861 14861->14857 14863 409816 14863->14861 14864 40981e WriteProcessMemory 14863->14864 14864->14860 14865 40983b Wow64SetThreadContext 14864->14865 14865->14860 14866 409858 ResumeThread 14865->14866 14866->14857 14868 403ee2 14867->14868 14869 403edc 14867->14869 14868->14830 14893 406dc2 14869->14893 14872 40400b CreateFileA 14871->14872 14873 40402c GetLastError 14872->14873 14874 404052 14872->14874 14873->14874 14875 404037 14873->14875 14874->14828 14874->14833 14874->14834 14875->14874 14876 404041 Sleep 14875->14876 14876->14872 14876->14874 14878 403f7c 14877->14878 14879 403f4e GetLastError 14877->14879 14881 403f8c ReadFile 14878->14881 14879->14878 14880 403f5b WaitForSingleObject GetOverlappedResult 14879->14880 14880->14878 14882 403fc2 GetLastError 14881->14882 14883 403ff0 14881->14883 14882->14883 14884 403fcf WaitForSingleObject GetOverlappedResult 14882->14884 14883->14839 14883->14840 14884->14883 14911 40eb74 14885->14911 14889 40ec37 14888->14889 14890 40438f 14888->14890 14914 40eba0 14889->14914 14890->14851 14894 406dd7 14893->14894 14898 406e24 14893->14898 14899 406cc9 14894->14899 14896 406ddc 14897 406e02 GetVolumeInformationA 14896->14897 14896->14898 14897->14898 14898->14868 14900 406cdc GetModuleHandleA GetProcAddress 14899->14900 14901 406dbe 14899->14901 14902 406d12 GetSystemDirectoryA 14900->14902 14903 406cfd 14900->14903 14901->14896 14904 406d27 GetWindowsDirectoryA 14902->14904 14905 406d1e 14902->14905 14903->14902 14906 406d8b 14903->14906 14907 406d42 14904->14907 14905->14904 14905->14906 14906->14901 14906->14906 14909 40ef1e lstrlenA 14907->14909 14910 40ef32 14909->14910 14910->14906 14912 40eb7b GetProcessHeap HeapSize 14911->14912 14913 404350 14911->14913 14912->14913 14913->14847 14915 40eba7 GetProcessHeap HeapSize 14914->14915 14916 40ebbf GetProcessHeap HeapFree 14914->14916 14915->14916 14916->14890 14918 409794 CreateProcessA 14917->14918 14918->14856 14918->14857 14920 406386 14919->14920 14921 40638a GetModuleHandleA VirtualAlloc 14919->14921 14920->14863 14922 4063f5 14921->14922 14923 4063b6 14921->14923 14922->14863 14924 4063be VirtualAllocEx 14923->14924 14924->14922 14925 4063d6 14924->14925 14926 4063df WriteProcessMemory 14925->14926 14926->14922 14973 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15090 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14973->15090 14975 409a95 14976 409aa3 GetModuleHandleA GetModuleFileNameA 14975->14976 14981 40a3c7 14975->14981 14989 409ac4 14976->14989 14977 40a41c CreateThread WSAStartup 15201 40e52e 14977->15201 16028 40405e CreateEventA 14977->16028 14978 409afd GetCommandLineA 14990 409b22 14978->14990 14979 40a406 DeleteFileA 14979->14981 14982 40a40d 14979->14982 14981->14977 14981->14979 14981->14982 14985 40a3ed GetLastError 14981->14985 14982->14977 14983 40a445 15220 40eaaf 14983->15220 14985->14982 14987 40a3f8 Sleep 14985->14987 14986 40a44d 15224 401d96 14986->15224 14987->14979 14989->14978 14993 409c0c 14990->14993 15000 409b47 14990->15000 14991 40a457 15272 4080c9 14991->15272 15091 4096aa 14993->15091 15004 409b96 lstrlenA 15000->15004 15007 409b58 15000->15007 15001 40a1d2 15008 40a1e3 GetCommandLineA 15001->15008 15002 409c39 15005 40a167 GetModuleHandleA GetModuleFileNameA 15002->15005 15011 409c4b 15002->15011 15004->15007 15006 409c05 ExitProcess 15005->15006 15010 40a189 15005->15010 15007->15006 15013 409bd2 15007->15013 15035 40a205 15008->15035 15010->15006 15018 40a1b2 GetDriveTypeA 15010->15018 15011->15005 15012 404280 30 API calls 15011->15012 15015 409c5b 15012->15015 15103 40675c 15013->15103 15015->15005 15022 40675c 21 API calls 15015->15022 15018->15006 15021 40a1c5 15018->15021 15193 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15021->15193 15024 409c79 15022->15024 15024->15005 15031 409ca0 GetTempPathA 15024->15031 15032 409e3e 15024->15032 15025 409bff 15025->15006 15027 40a491 15028 40a49f GetTickCount 15027->15028 15029 40a4be Sleep 15027->15029 15034 40a4b7 GetTickCount 15027->15034 15318 40c913 15027->15318 15028->15027 15028->15029 15029->15027 15031->15032 15033 409cba 15031->15033 15038 409e6b GetEnvironmentVariableA 15032->15038 15042 409e04 15032->15042 15141 4099d2 lstrcpyA 15033->15141 15034->15029 15039 40a285 lstrlenA 15035->15039 15051 40a239 15035->15051 15036 40ec2e codecvt 4 API calls 15040 40a15d 15036->15040 15038->15042 15043 409e7d 15038->15043 15039->15051 15040->15005 15040->15006 15042->15036 15044 4099d2 16 API calls 15043->15044 15045 409e9d 15044->15045 15045->15042 15050 409eb0 lstrcpyA lstrlenA 15045->15050 15046 406dc2 6 API calls 15048 409d5f 15046->15048 15054 406cc9 5 API calls 15048->15054 15049 40a3c2 15052 4098f2 41 API calls 15049->15052 15053 409ef4 15050->15053 15099 406ec3 15051->15099 15052->14981 15055 406dc2 6 API calls 15053->15055 15059 409f03 15053->15059 15057 409d72 lstrcpyA lstrcatA lstrcatA 15054->15057 15055->15059 15056 40a39d StartServiceCtrlDispatcherA 15056->15049 15058 409cf6 15057->15058 15148 409326 15058->15148 15060 409f32 RegOpenKeyExA 15059->15060 15061 409f48 RegSetValueExA RegCloseKey 15060->15061 15065 409f70 15060->15065 15061->15065 15062 40a35f 15062->15049 15062->15056 15070 409f9d GetModuleHandleA GetModuleFileNameA 15065->15070 15066 409e0c DeleteFileA 15066->15032 15067 409dde GetFileAttributesExA 15067->15066 15068 409df7 15067->15068 15068->15042 15185 4096ff 15068->15185 15072 409fc2 15070->15072 15073 40a093 15070->15073 15072->15073 15079 409ff1 GetDriveTypeA 15072->15079 15074 40a103 CreateProcessA 15073->15074 15077 40a0a4 wsprintfA 15073->15077 15075 40a13a 15074->15075 15076 40a12a DeleteFileA 15074->15076 15075->15042 15082 4096ff 3 API calls 15075->15082 15076->15075 15191 402544 15077->15191 15079->15073 15081 40a00d 15079->15081 15084 40a02d lstrcatA 15081->15084 15082->15042 15083 40ee2a 15085 40a0ec lstrcatA 15083->15085 15086 40a046 15084->15086 15085->15074 15087 40a052 lstrcatA 15086->15087 15088 40a064 lstrcatA 15086->15088 15087->15088 15088->15073 15089 40a081 lstrcatA 15088->15089 15089->15073 15090->14975 15092 4096b9 15091->15092 15421 4073ff 15092->15421 15094 4096e2 15095 4096e9 15094->15095 15096 4096fa 15094->15096 15441 40704c 15095->15441 15096->15001 15096->15002 15098 4096f7 15098->15096 15100 406ed5 15099->15100 15101 406ecc 15099->15101 15100->15062 15466 406e36 GetUserNameW 15101->15466 15104 406784 CreateFileA 15103->15104 15105 40677a SetFileAttributesA 15103->15105 15106 4067a4 CreateFileA 15104->15106 15107 4067b5 15104->15107 15105->15104 15106->15107 15108 4067c5 15107->15108 15109 4067ba SetFileAttributesA 15107->15109 15110 406977 15108->15110 15111 4067cf GetFileSize 15108->15111 15109->15108 15110->15006 15128 406a60 CreateFileA 15110->15128 15112 4067e5 15111->15112 15126 406922 15111->15126 15114 4067ed ReadFile 15112->15114 15112->15126 15113 40696e CloseHandle 15113->15110 15115 406811 SetFilePointer 15114->15115 15114->15126 15116 40682a ReadFile 15115->15116 15115->15126 15117 406848 SetFilePointer 15116->15117 15116->15126 15118 406867 15117->15118 15117->15126 15119 406878 ReadFile 15118->15119 15120 4068d0 15118->15120 15119->15118 15119->15120 15120->15113 15121 40ebcc 4 API calls 15120->15121 15122 4068f8 15121->15122 15123 406900 SetFilePointer 15122->15123 15122->15126 15124 40695a 15123->15124 15125 40690d ReadFile 15123->15125 15127 40ec2e codecvt 4 API calls 15124->15127 15125->15124 15125->15126 15126->15113 15127->15126 15129 406b8c GetLastError 15128->15129 15130 406a8f GetDiskFreeSpaceA 15128->15130 15132 406b86 15129->15132 15131 406ac5 15130->15131 15140 406ad7 15130->15140 15469 40eb0e 15131->15469 15132->15025 15136 406b56 CloseHandle 15136->15132 15139 406b65 GetLastError CloseHandle 15136->15139 15137 406b36 GetLastError CloseHandle 15138 406b7f DeleteFileA 15137->15138 15138->15132 15139->15138 15473 406987 15140->15473 15142 4099eb 15141->15142 15143 409a2f lstrcatA 15142->15143 15144 40ee2a 15143->15144 15145 409a4b lstrcatA 15144->15145 15146 406a60 13 API calls 15145->15146 15147 409a60 15146->15147 15147->15032 15147->15046 15147->15058 15483 401910 15148->15483 15151 40934a GetModuleHandleA GetModuleFileNameA 15153 40937f 15151->15153 15154 4093a4 15153->15154 15155 4093d9 15153->15155 15157 4093c3 wsprintfA 15154->15157 15156 409401 wsprintfA 15155->15156 15159 409415 15156->15159 15157->15159 15158 4094a0 15485 406edd 15158->15485 15159->15158 15162 406cc9 5 API calls 15159->15162 15161 4094ac 15163 40962f 15161->15163 15164 4094e8 RegOpenKeyExA 15161->15164 15168 409439 15162->15168 15169 409646 15163->15169 15506 401820 15163->15506 15166 409502 15164->15166 15167 4094fb 15164->15167 15172 40951f RegQueryValueExA 15166->15172 15167->15163 15171 40958a 15167->15171 15173 40ef1e lstrlenA 15168->15173 15178 4095d6 15169->15178 15512 4091eb 15169->15512 15171->15169 15174 409593 15171->15174 15175 409530 15172->15175 15176 409539 15172->15176 15177 409462 15173->15177 15174->15178 15493 40f0e4 15174->15493 15179 40956e RegCloseKey 15175->15179 15180 409556 RegQueryValueExA 15176->15180 15181 40947e wsprintfA 15177->15181 15178->15066 15178->15067 15179->15167 15180->15175 15180->15179 15181->15158 15183 4095bb 15183->15178 15500 4018e0 15183->15500 15186 402544 15185->15186 15187 40972d RegOpenKeyExA 15186->15187 15188 409740 15187->15188 15189 409765 15187->15189 15190 40974f RegDeleteValueA RegCloseKey 15188->15190 15189->15042 15190->15189 15192 402554 lstrcatA 15191->15192 15192->15083 15194 402544 15193->15194 15195 40919e wsprintfA 15194->15195 15196 4091bb 15195->15196 15550 409064 GetTempPathA 15196->15550 15199 4091d5 ShellExecuteA 15200 4091e7 15199->15200 15200->15025 15557 40dd05 GetTickCount 15201->15557 15203 40e538 15564 40dbcf 15203->15564 15205 40e544 15206 40e555 GetFileSize 15205->15206 15211 40e5b8 15205->15211 15207 40e5b1 CloseHandle 15206->15207 15208 40e566 15206->15208 15207->15211 15574 40db2e 15208->15574 15583 40e3ca RegOpenKeyExA 15211->15583 15212 40e576 ReadFile 15212->15207 15213 40e58d 15212->15213 15578 40e332 15213->15578 15217 40e5f2 15218 40e3ca 19 API calls 15217->15218 15219 40e629 15217->15219 15218->15219 15219->14983 15221 40eabe 15220->15221 15223 40eaba 15220->15223 15222 40dd05 6 API calls 15221->15222 15221->15223 15222->15223 15223->14986 15225 40ee2a 15224->15225 15226 401db4 GetVersionExA 15225->15226 15227 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15226->15227 15229 401e24 15227->15229 15230 401e16 GetCurrentProcess 15227->15230 15636 40e819 15229->15636 15230->15229 15232 401e3d 15233 40e819 11 API calls 15232->15233 15234 401e4e 15233->15234 15235 401e77 15234->15235 15643 40df70 15234->15643 15652 40ea84 15235->15652 15239 401e6c 15241 40df70 12 API calls 15239->15241 15240 40e819 11 API calls 15242 401e93 15240->15242 15241->15235 15656 40199c inet_addr LoadLibraryA 15242->15656 15245 40e819 11 API calls 15246 401eb9 15245->15246 15247 401ed8 15246->15247 15249 40f04e 4 API calls 15246->15249 15248 40e819 11 API calls 15247->15248 15250 401eee 15248->15250 15251 401ec9 15249->15251 15260 401f0a 15250->15260 15669 401b71 15250->15669 15252 40ea84 30 API calls 15251->15252 15252->15247 15254 40e819 11 API calls 15256 401f23 15254->15256 15255 401efd 15257 40ea84 30 API calls 15255->15257 15258 401f3f 15256->15258 15673 401bdf 15256->15673 15257->15260 15259 40e819 11 API calls 15258->15259 15262 401f5e 15259->15262 15260->15254 15264 401f77 15262->15264 15266 40ea84 30 API calls 15262->15266 15680 4030b5 15264->15680 15265 40ea84 30 API calls 15265->15258 15266->15264 15270 406ec3 2 API calls 15271 401f8e GetTickCount 15270->15271 15271->14991 15273 406ec3 2 API calls 15272->15273 15274 4080eb 15273->15274 15275 4080f9 15274->15275 15276 4080ef 15274->15276 15278 40704c 16 API calls 15275->15278 15728 407ee6 15276->15728 15279 408110 15278->15279 15281 408156 RegOpenKeyExA 15279->15281 15282 4080f4 15279->15282 15280 40675c 21 API calls 15285 408244 15280->15285 15281->15282 15283 40816d RegQueryValueExA 15281->15283 15282->15280 15290 408269 CreateThread 15282->15290 15284 4081f7 15283->15284 15289 40818d 15283->15289 15286 40820d RegCloseKey 15284->15286 15288 40ec2e codecvt 4 API calls 15284->15288 15287 40ec2e codecvt 4 API calls 15285->15287 15285->15290 15286->15282 15287->15290 15296 4081dd 15288->15296 15289->15284 15291 40ebcc 4 API calls 15289->15291 15297 405e6c 15290->15297 16057 40877e 15290->16057 15292 4081a0 15291->15292 15292->15286 15293 4081aa RegQueryValueExA 15292->15293 15293->15284 15294 4081c4 15293->15294 15295 40ebcc 4 API calls 15294->15295 15295->15296 15296->15286 15796 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15297->15796 15299 405e71 15797 40e654 15299->15797 15301 405ec1 15302 403132 15301->15302 15303 40df70 12 API calls 15302->15303 15304 40313b 15303->15304 15305 40c125 15304->15305 15808 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15305->15808 15307 40c12d 15308 40e654 13 API calls 15307->15308 15309 40c2bd 15308->15309 15310 40e654 13 API calls 15309->15310 15311 40c2c9 15310->15311 15312 40e654 13 API calls 15311->15312 15313 40a47a 15312->15313 15314 408db1 15313->15314 15315 408dbc 15314->15315 15316 40e654 13 API calls 15315->15316 15317 408dec Sleep 15316->15317 15317->15027 15319 40c92f 15318->15319 15320 40c93c 15319->15320 15809 40c517 15319->15809 15322 40e819 11 API calls 15320->15322 15338 40ca2b 15320->15338 15323 40c96a 15322->15323 15324 40e819 11 API calls 15323->15324 15325 40c97d 15324->15325 15326 40e819 11 API calls 15325->15326 15327 40c990 15326->15327 15328 40c9aa 15327->15328 15329 40ebcc 4 API calls 15327->15329 15328->15338 15826 402684 15328->15826 15329->15328 15334 40ca26 15833 40c8aa 15334->15833 15337 40ca44 15339 40ca4b closesocket 15337->15339 15340 40ca83 15337->15340 15338->15027 15339->15334 15341 40ea84 30 API calls 15340->15341 15342 40caac 15341->15342 15343 40f04e 4 API calls 15342->15343 15344 40cab2 15343->15344 15345 40ea84 30 API calls 15344->15345 15346 40caca 15345->15346 15347 40ea84 30 API calls 15346->15347 15348 40cad9 15347->15348 15841 40c65c 15348->15841 15351 40cb60 closesocket 15351->15338 15353 40dad2 closesocket 15354 40e318 23 API calls 15353->15354 15354->15338 15355 40df4c 20 API calls 15414 40cb70 15355->15414 15360 40e654 13 API calls 15360->15414 15366 40d815 wsprintfA 15366->15414 15367 40cc1c GetTempPathA 15367->15414 15368 40ea84 30 API calls 15368->15414 15369 40d569 closesocket Sleep 15888 40e318 15369->15888 15370 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15370->15414 15371 40c517 23 API calls 15371->15414 15373 40e8a1 30 API calls 15373->15414 15374 40d582 ExitProcess 15375 40cfe3 GetSystemDirectoryA 15375->15414 15376 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15376->15414 15377 40675c 21 API calls 15377->15414 15378 40d027 GetSystemDirectoryA 15378->15414 15379 40cfad GetEnvironmentVariableA 15379->15414 15380 40d105 lstrcatA 15380->15414 15381 40ef1e lstrlenA 15381->15414 15382 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15382->15414 15383 40cc9f CreateFileA 15385 40ccc6 WriteFile 15383->15385 15383->15414 15384 40d15b CreateFileA 15386 40d182 WriteFile CloseHandle 15384->15386 15384->15414 15387 40cdcc CloseHandle 15385->15387 15388 40cced CloseHandle 15385->15388 15386->15414 15387->15414 15394 40cd2f 15388->15394 15389 40cd16 wsprintfA 15389->15394 15390 40d149 SetFileAttributesA 15390->15384 15391 40d36e GetEnvironmentVariableA 15391->15414 15392 40d1bf SetFileAttributesA 15392->15414 15393 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15393->15414 15394->15389 15870 407fcf 15394->15870 15395 407ead 6 API calls 15395->15414 15396 40d22d GetEnvironmentVariableA 15396->15414 15398 40d3af lstrcatA 15401 40d3f2 CreateFileA 15398->15401 15398->15414 15400 407fcf 64 API calls 15400->15414 15404 40d415 WriteFile CloseHandle 15401->15404 15401->15414 15402 40cd81 WaitForSingleObject CloseHandle CloseHandle 15405 40f04e 4 API calls 15402->15405 15403 40cda5 15406 407ee6 64 API calls 15403->15406 15404->15414 15405->15403 15408 40cdbd DeleteFileA 15406->15408 15407 40d26e lstrcatA 15411 40d2b1 CreateFileA 15407->15411 15407->15414 15408->15414 15409 40d4b1 CreateProcessA 15412 40d4e8 CloseHandle CloseHandle 15409->15412 15409->15414 15410 40d3e0 SetFileAttributesA 15410->15401 15411->15414 15415 40d2d8 WriteFile CloseHandle 15411->15415 15412->15414 15413 40d452 SetFileAttributesA 15413->15414 15414->15353 15414->15355 15414->15360 15414->15366 15414->15367 15414->15368 15414->15369 15414->15370 15414->15371 15414->15373 15414->15375 15414->15376 15414->15377 15414->15378 15414->15379 15414->15380 15414->15381 15414->15382 15414->15383 15414->15384 15414->15390 15414->15391 15414->15392 15414->15393 15414->15395 15414->15396 15414->15398 15414->15400 15414->15401 15414->15407 15414->15409 15414->15410 15414->15411 15414->15413 15416 407ee6 64 API calls 15414->15416 15417 40d29f SetFileAttributesA 15414->15417 15420 40d31d SetFileAttributesA 15414->15420 15849 40c75d 15414->15849 15861 407e2f 15414->15861 15883 407ead 15414->15883 15893 4031d0 15414->15893 15910 403c09 15414->15910 15920 403a00 15414->15920 15924 40e7b4 15414->15924 15927 40c06c 15414->15927 15933 406f5f GetUserNameA 15414->15933 15944 40e854 15414->15944 15954 407dd6 15414->15954 15415->15414 15416->15414 15417->15411 15420->15414 15422 40741b 15421->15422 15423 406dc2 6 API calls 15422->15423 15424 40743f 15423->15424 15425 407469 RegOpenKeyExA 15424->15425 15426 4077f9 15425->15426 15437 407487 ___ascii_stricmp 15425->15437 15426->15094 15427 407703 RegEnumKeyA 15428 407714 RegCloseKey 15427->15428 15427->15437 15428->15426 15429 40f1a5 lstrlenA 15429->15437 15430 4074d2 RegOpenKeyExA 15430->15437 15431 40772c 15433 407742 RegCloseKey 15431->15433 15434 40774b 15431->15434 15432 407521 RegQueryValueExA 15432->15437 15433->15434 15435 4077ec RegCloseKey 15434->15435 15435->15426 15436 4076e4 RegCloseKey 15436->15437 15437->15427 15437->15429 15437->15430 15437->15431 15437->15432 15437->15436 15439 40777e GetFileAttributesExA 15437->15439 15440 407769 15437->15440 15438 4077e3 RegCloseKey 15438->15435 15439->15440 15440->15438 15442 407073 15441->15442 15443 4070b9 RegOpenKeyExA 15442->15443 15444 4070d0 15443->15444 15458 4071b8 15443->15458 15445 406dc2 6 API calls 15444->15445 15448 4070d5 15445->15448 15446 40719b RegEnumValueA 15447 4071af RegCloseKey 15446->15447 15446->15448 15447->15458 15448->15446 15450 4071d0 15448->15450 15464 40f1a5 lstrlenA 15448->15464 15451 407205 RegCloseKey 15450->15451 15452 407227 15450->15452 15451->15458 15453 4072b8 ___ascii_stricmp 15452->15453 15454 40728e RegCloseKey 15452->15454 15455 4072cd RegCloseKey 15453->15455 15456 4072dd 15453->15456 15454->15458 15455->15458 15457 407311 RegCloseKey 15456->15457 15460 407335 15456->15460 15457->15458 15458->15098 15459 4073d5 RegCloseKey 15461 4073e4 15459->15461 15460->15459 15462 40737e GetFileAttributesExA 15460->15462 15463 407397 15460->15463 15462->15463 15463->15459 15465 40f1c3 15464->15465 15465->15448 15467 406e5f LookupAccountNameW 15466->15467 15468 406e97 15466->15468 15467->15468 15468->15100 15470 40eb17 15469->15470 15471 40eb21 15469->15471 15479 40eae4 15470->15479 15471->15140 15475 4069b9 WriteFile 15473->15475 15476 406a3c 15475->15476 15477 4069ff 15475->15477 15476->15136 15476->15137 15477->15476 15478 406a10 WriteFile 15477->15478 15478->15476 15478->15477 15480 40eb02 GetProcAddress 15479->15480 15481 40eaed LoadLibraryA 15479->15481 15480->15471 15481->15480 15482 40eb01 15481->15482 15482->15471 15484 401924 GetVersionExA 15483->15484 15484->15151 15486 406eef AllocateAndInitializeSid 15485->15486 15492 406f55 15485->15492 15487 406f44 15486->15487 15488 406f1c CheckTokenMembership 15486->15488 15491 406e36 2 API calls 15487->15491 15487->15492 15489 406f3b FreeSid 15488->15489 15490 406f2e 15488->15490 15489->15487 15490->15489 15491->15492 15492->15161 15494 40f0f1 15493->15494 15495 40f0ed 15493->15495 15496 40f119 15494->15496 15497 40f0fa lstrlenA SysAllocStringByteLen 15494->15497 15495->15183 15499 40f11c MultiByteToWideChar 15496->15499 15498 40f117 15497->15498 15497->15499 15498->15183 15499->15498 15501 401820 17 API calls 15500->15501 15502 4018f2 15501->15502 15503 4018f9 15502->15503 15517 401280 15502->15517 15503->15178 15505 401908 15505->15178 15529 401000 15506->15529 15508 401839 15509 401851 GetCurrentProcess 15508->15509 15510 40183d 15508->15510 15511 401864 15509->15511 15510->15169 15511->15169 15513 409308 15512->15513 15515 40920e 15512->15515 15513->15178 15514 4092f1 Sleep 15514->15515 15515->15513 15515->15514 15515->15515 15516 4092bf ShellExecuteA 15515->15516 15516->15513 15516->15515 15518 4012e1 15517->15518 15518->15518 15519 4016f9 GetLastError 15518->15519 15525 4013a8 15518->15525 15528 401699 15519->15528 15520 401570 lstrlenW 15520->15525 15521 4015be GetStartupInfoW 15521->15525 15522 4015ff CreateProcessWithLogonW 15523 4016bf GetLastError 15522->15523 15524 40163f WaitForSingleObject 15522->15524 15523->15528 15524->15525 15526 401659 CloseHandle 15524->15526 15525->15520 15525->15521 15525->15522 15527 401668 CloseHandle 15525->15527 15525->15528 15526->15525 15527->15525 15528->15505 15530 40100d LoadLibraryA 15529->15530 15538 401023 15529->15538 15531 401021 15530->15531 15530->15538 15531->15508 15532 4010b5 GetProcAddress 15533 4010d1 GetProcAddress 15532->15533 15534 40127b 15532->15534 15533->15534 15535 4010f0 GetProcAddress 15533->15535 15534->15508 15535->15534 15536 401110 GetProcAddress 15535->15536 15536->15534 15537 401130 GetProcAddress 15536->15537 15537->15534 15539 40114f GetProcAddress 15537->15539 15538->15532 15549 4010ae 15538->15549 15539->15534 15540 40116f GetProcAddress 15539->15540 15540->15534 15541 40118f GetProcAddress 15540->15541 15541->15534 15542 4011ae GetProcAddress 15541->15542 15542->15534 15543 4011ce GetProcAddress 15542->15543 15543->15534 15544 4011ee GetProcAddress 15543->15544 15544->15534 15545 401209 GetProcAddress 15544->15545 15545->15534 15546 401225 GetProcAddress 15545->15546 15546->15534 15547 401241 GetProcAddress 15546->15547 15547->15534 15548 40125c GetProcAddress 15547->15548 15548->15534 15549->15508 15551 40908d 15550->15551 15552 4090e2 wsprintfA 15551->15552 15553 40ee2a 15552->15553 15554 4090fd CreateFileA 15553->15554 15555 40911a lstrlenA WriteFile CloseHandle 15554->15555 15556 40913f 15554->15556 15555->15556 15556->15199 15556->15200 15558 40dd41 InterlockedExchange 15557->15558 15559 40dd20 GetCurrentThreadId 15558->15559 15560 40dd4a 15558->15560 15561 40dd53 GetCurrentThreadId 15559->15561 15562 40dd2e GetTickCount 15559->15562 15560->15561 15561->15203 15562->15560 15563 40dd39 Sleep 15562->15563 15563->15558 15565 40dbf0 15564->15565 15597 40db67 GetEnvironmentVariableA 15565->15597 15567 40dcda 15567->15205 15568 40dc19 15568->15567 15569 40db67 3 API calls 15568->15569 15570 40dc5c 15569->15570 15570->15567 15571 40db67 3 API calls 15570->15571 15572 40dc9b 15571->15572 15572->15567 15573 40db67 3 API calls 15572->15573 15573->15567 15575 40db55 15574->15575 15576 40db3a 15574->15576 15575->15207 15575->15212 15601 40ebed 15576->15601 15610 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15578->15610 15580 40e3be 15580->15207 15581 40e342 15581->15580 15613 40de24 15581->15613 15584 40e528 15583->15584 15585 40e3f4 15583->15585 15584->15217 15586 40e434 RegQueryValueExA 15585->15586 15587 40e458 15586->15587 15588 40e51d RegCloseKey 15586->15588 15589 40e46e RegQueryValueExA 15587->15589 15588->15584 15589->15587 15590 40e488 15589->15590 15590->15588 15591 40db2e 8 API calls 15590->15591 15592 40e499 15591->15592 15592->15588 15593 40e4b9 RegQueryValueExA 15592->15593 15594 40e4e8 15592->15594 15593->15592 15593->15594 15594->15588 15595 40e332 14 API calls 15594->15595 15596 40e513 15595->15596 15596->15588 15598 40db89 lstrcpyA CreateFileA 15597->15598 15599 40dbca 15597->15599 15598->15568 15599->15568 15602 40ec01 15601->15602 15603 40ebf6 15601->15603 15605 40eba0 codecvt 2 API calls 15602->15605 15604 40ebcc 4 API calls 15603->15604 15606 40ebfe 15604->15606 15607 40ec0a GetProcessHeap HeapReAlloc 15605->15607 15606->15575 15608 40eb74 2 API calls 15607->15608 15609 40ec28 15608->15609 15609->15575 15624 40eb41 15610->15624 15614 40de3a 15613->15614 15619 40de4e 15614->15619 15628 40dd84 15614->15628 15617 40de9e 15618 40ebed 8 API calls 15617->15618 15617->15619 15622 40def6 15618->15622 15619->15581 15620 40de76 15632 40ddcf 15620->15632 15622->15619 15623 40ddcf lstrcmpA 15622->15623 15623->15619 15625 40eb54 15624->15625 15626 40eb4a 15624->15626 15625->15581 15627 40eae4 2 API calls 15626->15627 15627->15625 15629 40ddc5 15628->15629 15630 40dd96 15628->15630 15629->15617 15629->15620 15630->15629 15631 40ddad lstrcmpiA 15630->15631 15631->15629 15631->15630 15633 40dddd 15632->15633 15635 40de20 15632->15635 15634 40ddfa lstrcmpA 15633->15634 15633->15635 15634->15633 15635->15619 15637 40dd05 6 API calls 15636->15637 15638 40e821 15637->15638 15639 40dd84 lstrcmpiA 15638->15639 15640 40e82c 15639->15640 15641 40e844 15640->15641 15684 402480 15640->15684 15641->15232 15644 40dd05 6 API calls 15643->15644 15645 40df7c 15644->15645 15646 40dd84 lstrcmpiA 15645->15646 15649 40df89 15646->15649 15647 40dfc4 15647->15239 15648 40ddcf lstrcmpA 15648->15649 15649->15647 15649->15648 15650 40ec2e codecvt 4 API calls 15649->15650 15651 40dd84 lstrcmpiA 15649->15651 15650->15649 15651->15649 15653 40ea98 15652->15653 15693 40e8a1 15653->15693 15655 401e84 15655->15240 15657 4019d5 GetProcAddress GetProcAddress GetProcAddress 15656->15657 15660 4019ce 15656->15660 15658 401ab3 FreeLibrary 15657->15658 15659 401a04 15657->15659 15658->15660 15659->15658 15661 401a14 GetProcessHeap 15659->15661 15660->15245 15661->15660 15663 401a2e HeapAlloc 15661->15663 15663->15660 15664 401a42 15663->15664 15665 401a52 HeapReAlloc 15664->15665 15667 401a62 15664->15667 15665->15667 15666 401aa1 FreeLibrary 15666->15660 15667->15666 15668 401a96 HeapFree 15667->15668 15668->15666 15721 401ac3 LoadLibraryA 15669->15721 15672 401bcf 15672->15255 15674 401ac3 12 API calls 15673->15674 15675 401c09 15674->15675 15676 401c0d GetComputerNameA 15675->15676 15679 401c41 15675->15679 15677 401c45 GetVolumeInformationA 15676->15677 15678 401c1f 15676->15678 15677->15679 15678->15677 15678->15679 15679->15265 15681 40ee2a 15680->15681 15682 4030d0 gethostname gethostbyname 15681->15682 15683 401f82 15682->15683 15683->15270 15683->15271 15687 402419 lstrlenA 15684->15687 15686 402491 15686->15641 15688 402474 15687->15688 15689 40243d lstrlenA 15687->15689 15688->15686 15690 402464 lstrlenA 15689->15690 15691 40244e lstrcmpiA 15689->15691 15690->15688 15690->15689 15691->15690 15692 40245c 15691->15692 15692->15688 15692->15690 15694 40dd05 6 API calls 15693->15694 15695 40e8b4 15694->15695 15696 40dd84 lstrcmpiA 15695->15696 15697 40e8c0 15696->15697 15698 40e90a 15697->15698 15699 40e8c8 lstrcpynA 15697->15699 15701 402419 4 API calls 15698->15701 15709 40ea27 15698->15709 15700 40e8f5 15699->15700 15714 40df4c 15700->15714 15702 40e926 lstrlenA lstrlenA 15701->15702 15704 40e96a 15702->15704 15705 40e94c lstrlenA 15702->15705 15708 40ebcc 4 API calls 15704->15708 15704->15709 15705->15704 15706 40e901 15707 40dd84 lstrcmpiA 15706->15707 15707->15698 15710 40e98f 15708->15710 15709->15655 15710->15709 15711 40df4c 20 API calls 15710->15711 15712 40ea1e 15711->15712 15713 40ec2e codecvt 4 API calls 15712->15713 15713->15709 15715 40dd05 6 API calls 15714->15715 15716 40df51 15715->15716 15717 40f04e 4 API calls 15716->15717 15718 40df58 15717->15718 15719 40de24 10 API calls 15718->15719 15720 40df63 15719->15720 15720->15706 15722 401ae2 GetProcAddress 15721->15722 15726 401b68 GetComputerNameA GetVolumeInformationA 15721->15726 15723 401af5 15722->15723 15722->15726 15724 401b29 15723->15724 15725 40ebed 8 API calls 15723->15725 15724->15726 15727 40ec2e codecvt 4 API calls 15724->15727 15725->15723 15726->15672 15727->15726 15729 406ec3 2 API calls 15728->15729 15730 407ef4 15729->15730 15731 4073ff 17 API calls 15730->15731 15732 407fc9 15730->15732 15733 407f16 15731->15733 15732->15282 15733->15732 15741 407809 GetUserNameA 15733->15741 15735 407f63 15735->15732 15736 40ef1e lstrlenA 15735->15736 15737 407fa6 15736->15737 15738 40ef1e lstrlenA 15737->15738 15739 407fb7 15738->15739 15765 407a95 RegOpenKeyExA 15739->15765 15742 40783d LookupAccountNameA 15741->15742 15743 407a8d 15741->15743 15742->15743 15744 407874 GetLengthSid GetFileSecurityA 15742->15744 15743->15735 15744->15743 15745 4078a8 GetSecurityDescriptorOwner 15744->15745 15746 4078c5 EqualSid 15745->15746 15747 40791d GetSecurityDescriptorDacl 15745->15747 15746->15747 15748 4078dc LocalAlloc 15746->15748 15747->15743 15755 407941 15747->15755 15748->15747 15749 4078ef InitializeSecurityDescriptor 15748->15749 15750 407916 LocalFree 15749->15750 15751 4078fb SetSecurityDescriptorOwner 15749->15751 15750->15747 15751->15750 15753 40790b SetFileSecurityA 15751->15753 15752 40795b GetAce 15752->15755 15753->15750 15754 407980 EqualSid 15754->15755 15755->15743 15755->15752 15755->15754 15756 407a3d 15755->15756 15757 4079be EqualSid 15755->15757 15758 40799d DeleteAce 15755->15758 15756->15743 15759 407a43 LocalAlloc 15756->15759 15757->15755 15758->15755 15759->15743 15760 407a56 InitializeSecurityDescriptor 15759->15760 15761 407a62 SetSecurityDescriptorDacl 15760->15761 15762 407a86 LocalFree 15760->15762 15761->15762 15763 407a73 SetFileSecurityA 15761->15763 15762->15743 15763->15762 15764 407a83 15763->15764 15764->15762 15766 407ac4 15765->15766 15767 407acb GetUserNameA 15765->15767 15766->15732 15768 407da7 RegCloseKey 15767->15768 15769 407aed LookupAccountNameA 15767->15769 15768->15766 15769->15768 15770 407b24 RegGetKeySecurity 15769->15770 15770->15768 15771 407b49 GetSecurityDescriptorOwner 15770->15771 15772 407b63 EqualSid 15771->15772 15773 407bb8 GetSecurityDescriptorDacl 15771->15773 15772->15773 15775 407b74 LocalAlloc 15772->15775 15774 407da6 15773->15774 15782 407bdc 15773->15782 15774->15768 15775->15773 15776 407b8a InitializeSecurityDescriptor 15775->15776 15778 407bb1 LocalFree 15776->15778 15779 407b96 SetSecurityDescriptorOwner 15776->15779 15777 407bf8 GetAce 15777->15782 15778->15773 15779->15778 15780 407ba6 RegSetKeySecurity 15779->15780 15780->15778 15781 407c1d EqualSid 15781->15782 15782->15774 15782->15777 15782->15781 15783 407cd9 15782->15783 15784 407c5f EqualSid 15782->15784 15785 407c3a DeleteAce 15782->15785 15783->15774 15786 407d5a LocalAlloc 15783->15786 15788 407cf2 RegOpenKeyExA 15783->15788 15784->15782 15785->15782 15786->15774 15787 407d70 InitializeSecurityDescriptor 15786->15787 15789 407d7c SetSecurityDescriptorDacl 15787->15789 15790 407d9f LocalFree 15787->15790 15788->15786 15793 407d0f 15788->15793 15789->15790 15791 407d8c RegSetKeySecurity 15789->15791 15790->15774 15791->15790 15792 407d9c 15791->15792 15792->15790 15794 407d43 RegSetValueExA 15793->15794 15794->15786 15795 407d54 15794->15795 15795->15786 15796->15299 15798 40dd05 6 API calls 15797->15798 15801 40e65f 15798->15801 15799 40e6a5 15800 40ebcc 4 API calls 15799->15800 15806 40e6f5 15799->15806 15803 40e6b0 15800->15803 15801->15799 15802 40e68c lstrcmpA 15801->15802 15802->15801 15804 40e6b7 15803->15804 15805 40e6e0 lstrcpynA 15803->15805 15803->15806 15804->15301 15805->15806 15806->15804 15807 40e71d lstrcmpA 15806->15807 15807->15806 15808->15307 15810 40c525 15809->15810 15811 40c532 15809->15811 15810->15811 15813 40ec2e codecvt 4 API calls 15810->15813 15812 40c548 15811->15812 15961 40e7ff 15811->15961 15814 40c54f 15812->15814 15817 40e7ff lstrcmpiA 15812->15817 15813->15811 15814->15320 15818 40c615 15817->15818 15818->15814 15819 40ebcc 4 API calls 15818->15819 15819->15814 15820 40c5d1 15822 40ebcc 4 API calls 15820->15822 15821 40e819 11 API calls 15823 40c5b7 15821->15823 15822->15814 15824 40f04e 4 API calls 15823->15824 15825 40c5bf 15824->15825 15825->15812 15825->15820 15827 402692 inet_addr 15826->15827 15828 40268e 15826->15828 15827->15828 15829 40269e gethostbyname 15827->15829 15830 40f428 15828->15830 15829->15828 15964 40f315 15830->15964 15834 40c8d2 15833->15834 15835 40c907 15834->15835 15836 40c517 23 API calls 15834->15836 15835->15338 15836->15835 15837 40f43e 15838 40f473 recv 15837->15838 15839 40f458 15838->15839 15840 40f47c 15838->15840 15839->15838 15839->15840 15840->15337 15842 40c670 15841->15842 15843 40c67d 15841->15843 15844 40ebcc 4 API calls 15842->15844 15845 40ebcc 4 API calls 15843->15845 15846 40c699 15843->15846 15844->15843 15845->15846 15847 40c6f3 15846->15847 15848 40c73c send 15846->15848 15847->15351 15847->15414 15848->15847 15850 40c770 15849->15850 15851 40c77d 15849->15851 15853 40ebcc 4 API calls 15850->15853 15852 40c799 15851->15852 15854 40ebcc 4 API calls 15851->15854 15855 40c7b5 15852->15855 15856 40ebcc 4 API calls 15852->15856 15853->15851 15854->15852 15857 40f43e recv 15855->15857 15856->15855 15858 40c7cb 15857->15858 15859 40f43e recv 15858->15859 15860 40c7d3 15858->15860 15859->15860 15860->15414 15977 407db7 15861->15977 15864 407e70 15866 40f04e 4 API calls 15864->15866 15868 407e96 15864->15868 15865 40f04e 4 API calls 15867 407e4c 15865->15867 15866->15868 15867->15864 15869 40f04e 4 API calls 15867->15869 15868->15414 15869->15864 15871 406ec3 2 API calls 15870->15871 15872 407fdd 15871->15872 15873 4073ff 17 API calls 15872->15873 15882 4080c2 CreateProcessA 15872->15882 15874 407fff 15873->15874 15875 407809 21 API calls 15874->15875 15874->15882 15876 40804d 15875->15876 15877 40ef1e lstrlenA 15876->15877 15876->15882 15878 40809e 15877->15878 15879 40ef1e lstrlenA 15878->15879 15880 4080af 15879->15880 15881 407a95 24 API calls 15880->15881 15881->15882 15882->15402 15882->15403 15884 407db7 2 API calls 15883->15884 15885 407eb8 15884->15885 15886 40f04e 4 API calls 15885->15886 15887 407ece DeleteFileA 15886->15887 15887->15414 15889 40dd05 6 API calls 15888->15889 15890 40e31d 15889->15890 15981 40e177 15890->15981 15892 40e326 15892->15374 15894 4031f3 15893->15894 15904 4031ec 15893->15904 15895 40ebcc 4 API calls 15894->15895 15909 4031fc 15895->15909 15896 40344b 15897 403459 15896->15897 15898 40349d 15896->15898 15900 40f04e 4 API calls 15897->15900 15899 40ec2e codecvt 4 API calls 15898->15899 15899->15904 15901 40345f 15900->15901 15903 4030fa 4 API calls 15901->15903 15902 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15902->15909 15903->15904 15904->15414 15905 40344d 15906 40ec2e codecvt 4 API calls 15905->15906 15906->15896 15908 403141 lstrcmpiA 15908->15909 15909->15896 15909->15902 15909->15904 15909->15905 15909->15908 16007 4030fa GetTickCount 15909->16007 15911 4030fa 4 API calls 15910->15911 15912 403c1a 15911->15912 15916 403ce6 15912->15916 16012 403a72 15912->16012 15915 403a72 9 API calls 15919 403c5e 15915->15919 15916->15414 15917 403a72 9 API calls 15917->15919 15918 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15918->15919 15919->15916 15919->15917 15919->15918 15921 403a10 15920->15921 15922 4030fa 4 API calls 15921->15922 15923 403a1a 15922->15923 15923->15414 15925 40dd05 6 API calls 15924->15925 15926 40e7be 15925->15926 15926->15414 15928 40c105 15927->15928 15929 40c07e wsprintfA 15927->15929 15928->15414 16021 40bfce GetTickCount wsprintfA 15929->16021 15931 40c0ef 16022 40bfce GetTickCount wsprintfA 15931->16022 15934 407047 15933->15934 15935 406f88 LookupAccountNameA 15933->15935 15934->15414 15937 407025 15935->15937 15938 406fcb 15935->15938 15939 406edd 5 API calls 15937->15939 15941 406fdb ConvertSidToStringSidA 15938->15941 15940 40702a wsprintfA 15939->15940 15940->15934 15941->15937 15942 406ff1 15941->15942 15942->15942 15943 407013 LocalFree 15942->15943 15943->15937 15945 40dd05 6 API calls 15944->15945 15946 40e85c 15945->15946 15947 40dd84 lstrcmpiA 15946->15947 15948 40e867 15947->15948 15949 40e885 lstrcpyA 15948->15949 16023 4024a5 15948->16023 16026 40dd69 15949->16026 15955 407db7 2 API calls 15954->15955 15956 407de1 15955->15956 15957 40f04e 4 API calls 15956->15957 15960 407e16 15956->15960 15958 407df2 15957->15958 15959 40f04e 4 API calls 15958->15959 15958->15960 15959->15960 15960->15414 15962 40dd84 lstrcmpiA 15961->15962 15963 40c58e 15962->15963 15963->15812 15963->15820 15963->15821 15965 40ca1d 15964->15965 15966 40f33b 15964->15966 15965->15334 15965->15837 15967 40f347 htons socket 15966->15967 15968 40f382 ioctlsocket 15967->15968 15969 40f374 closesocket 15967->15969 15970 40f3aa connect select 15968->15970 15971 40f39d 15968->15971 15969->15965 15970->15965 15973 40f3f2 __WSAFDIsSet 15970->15973 15972 40f39f closesocket 15971->15972 15972->15965 15973->15972 15974 40f403 ioctlsocket 15973->15974 15976 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15974->15976 15976->15965 15978 407dc8 InterlockedExchange 15977->15978 15979 407dc0 Sleep 15978->15979 15980 407dd4 15978->15980 15979->15978 15980->15864 15980->15865 15982 40e184 15981->15982 15983 40e2e4 15982->15983 15984 40e223 15982->15984 15997 40dfe2 15982->15997 15983->15892 15984->15983 15986 40dfe2 8 API calls 15984->15986 15991 40e23c 15986->15991 15987 40e1be 15987->15984 15988 40dbcf 3 API calls 15987->15988 15990 40e1d6 15988->15990 15989 40e21a CloseHandle 15989->15984 15990->15984 15990->15989 15992 40e1f9 WriteFile 15990->15992 15991->15983 16001 40e095 RegCreateKeyExA 15991->16001 15992->15989 15994 40e213 15992->15994 15994->15989 15995 40e2a3 15995->15983 15996 40e095 4 API calls 15995->15996 15996->15983 15998 40dffc 15997->15998 16000 40e024 15997->16000 15999 40db2e 8 API calls 15998->15999 15998->16000 15999->16000 16000->15987 16002 40e172 16001->16002 16003 40e0c0 16001->16003 16002->15995 16005 40e115 RegSetValueExA 16003->16005 16006 40e13d 16003->16006 16004 40e14e RegDeleteValueA RegCloseKey 16004->16002 16005->16003 16005->16006 16006->16004 16008 403122 InterlockedExchange 16007->16008 16009 40312e 16008->16009 16010 40310f GetTickCount 16008->16010 16009->15909 16010->16009 16011 40311a Sleep 16010->16011 16011->16008 16013 40f04e 4 API calls 16012->16013 16014 403a83 16013->16014 16015 403bc0 16014->16015 16019 403b66 lstrlenA 16014->16019 16020 403ac1 16014->16020 16016 403be6 16015->16016 16017 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16015->16017 16018 40ec2e codecvt 4 API calls 16016->16018 16017->16015 16018->16020 16019->16014 16019->16020 16020->15915 16020->15916 16021->15931 16022->15928 16024 402419 4 API calls 16023->16024 16025 4024b6 16024->16025 16025->15949 16027 40dd79 lstrlenA 16026->16027 16027->15414 16029 404084 16028->16029 16030 40407d 16028->16030 16031 403ecd 6 API calls 16029->16031 16032 40408f 16031->16032 16033 404000 3 API calls 16032->16033 16035 404095 16033->16035 16034 404130 16036 403ecd 6 API calls 16034->16036 16035->16034 16040 403f18 4 API calls 16035->16040 16037 404159 CreateNamedPipeA 16036->16037 16038 404167 Sleep 16037->16038 16039 404188 ConnectNamedPipe 16037->16039 16038->16034 16041 404176 CloseHandle 16038->16041 16043 404195 GetLastError 16039->16043 16052 4041ab 16039->16052 16042 4040da 16040->16042 16041->16039 16044 403f8c 4 API calls 16042->16044 16045 40425e DisconnectNamedPipe 16043->16045 16043->16052 16047 4040ec 16044->16047 16045->16039 16046 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16046->16052 16048 404127 CloseHandle 16047->16048 16049 404101 16047->16049 16048->16034 16051 403f18 4 API calls 16049->16051 16050 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16050->16052 16053 40411c ExitProcess 16051->16053 16052->16039 16052->16045 16052->16046 16052->16050 16054 40426a CloseHandle CloseHandle 16052->16054 16055 40e318 23 API calls 16054->16055 16056 40427b 16055->16056 16056->16056 16058 408791 16057->16058 16059 40879f 16057->16059 16060 40f04e 4 API calls 16058->16060 16061 4087bc 16059->16061 16062 40f04e 4 API calls 16059->16062 16060->16059 16063 40e819 11 API calls 16061->16063 16062->16061 16064 4087d7 16063->16064 16067 408803 16064->16067 16079 4026b2 gethostbyaddr 16064->16079 16073 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16067->16073 16074 40e819 11 API calls 16067->16074 16075 4088a0 Sleep 16067->16075 16076 4026b2 2 API calls 16067->16076 16078 40e8a1 30 API calls 16067->16078 16084 408cee 16067->16084 16092 40c4d6 16067->16092 16095 40c4e2 16067->16095 16098 402011 16067->16098 16133 408328 16067->16133 16068 4087eb 16068->16067 16070 40e8a1 30 API calls 16068->16070 16070->16067 16073->16067 16074->16067 16075->16067 16076->16067 16078->16067 16080 4026fb 16079->16080 16081 4026cd 16079->16081 16080->16068 16082 4026e1 inet_ntoa 16081->16082 16083 4026de 16081->16083 16082->16083 16083->16068 16085 408d02 GetTickCount 16084->16085 16086 408dae 16084->16086 16085->16086 16089 408d19 16085->16089 16086->16067 16087 408da1 GetTickCount 16087->16086 16089->16087 16091 408d89 16089->16091 16185 40a677 16089->16185 16188 40a688 16089->16188 16091->16087 16196 40c2dc 16092->16196 16096 40c2dc 141 API calls 16095->16096 16097 40c4ec 16096->16097 16097->16067 16099 402020 16098->16099 16100 40202e 16098->16100 16102 40f04e 4 API calls 16099->16102 16101 40204b 16100->16101 16103 40f04e 4 API calls 16100->16103 16104 40206e GetTickCount 16101->16104 16105 40f04e 4 API calls 16101->16105 16102->16100 16103->16101 16106 402090 16104->16106 16107 4020db GetTickCount 16104->16107 16109 402068 16105->16109 16110 4020d4 GetTickCount 16106->16110 16113 402684 2 API calls 16106->16113 16120 4020ce 16106->16120 16523 401978 16106->16523 16108 402132 GetTickCount GetTickCount 16107->16108 16122 4020e7 16107->16122 16111 40f04e 4 API calls 16108->16111 16109->16104 16110->16107 16114 402159 16111->16114 16112 40212b GetTickCount 16112->16108 16113->16106 16115 4021b4 16114->16115 16118 40e854 13 API calls 16114->16118 16117 40f04e 4 API calls 16115->16117 16119 4021d1 16117->16119 16121 40218e 16118->16121 16124 4021f2 16119->16124 16128 40ea84 30 API calls 16119->16128 16120->16110 16125 40e819 11 API calls 16121->16125 16122->16112 16126 401978 15 API calls 16122->16126 16127 402125 16122->16127 16528 402ef8 16122->16528 16124->16067 16129 40219c 16125->16129 16126->16122 16127->16112 16130 4021ec 16128->16130 16129->16115 16536 401c5f 16129->16536 16131 40f04e 4 API calls 16130->16131 16131->16124 16134 407dd6 6 API calls 16133->16134 16135 40833c 16134->16135 16136 408340 16135->16136 16137 406ec3 2 API calls 16135->16137 16136->16067 16138 40834f 16137->16138 16139 40835c 16138->16139 16142 40846b 16138->16142 16140 4073ff 17 API calls 16139->16140 16148 408373 16140->16148 16141 40675c 21 API calls 16156 4085df 16141->16156 16144 4084a7 RegOpenKeyExA 16142->16144 16173 408450 16142->16173 16143 408626 GetTempPathA 16175 408638 16143->16175 16146 4084c0 RegQueryValueExA 16144->16146 16155 40852f 16144->16155 16149 408521 RegCloseKey 16146->16149 16152 4084dd 16146->16152 16147 4086ad 16151 407e2f 6 API calls 16147->16151 16153 408762 16147->16153 16148->16136 16164 4083ea RegOpenKeyExA 16148->16164 16148->16173 16149->16155 16150 408564 RegOpenKeyExA 16157 408573 16150->16157 16159 4085a5 16150->16159 16163 4086bb 16151->16163 16152->16149 16158 40ebcc 4 API calls 16152->16158 16153->16136 16154 40ec2e codecvt 4 API calls 16153->16154 16154->16136 16155->16150 16155->16159 16156->16143 16156->16153 16156->16175 16157->16157 16161 408585 RegSetValueExA RegCloseKey 16157->16161 16162 4084f0 16158->16162 16168 40ec2e codecvt 4 API calls 16159->16168 16159->16173 16160 40875b DeleteFileA 16160->16153 16161->16159 16162->16149 16165 4084f8 RegQueryValueExA 16162->16165 16163->16160 16169 4086e0 lstrcpyA lstrlenA 16163->16169 16166 4083fd RegQueryValueExA 16164->16166 16164->16173 16165->16149 16167 408515 16165->16167 16170 40842d RegSetValueExA 16166->16170 16171 40841e 16166->16171 16172 40ec2e codecvt 4 API calls 16167->16172 16168->16173 16174 407fcf 64 API calls 16169->16174 16176 408447 RegCloseKey 16170->16176 16171->16170 16171->16176 16177 40851d 16172->16177 16173->16141 16173->16156 16178 408719 CreateProcessA 16174->16178 16608 406ba7 IsBadCodePtr 16175->16608 16176->16173 16177->16149 16179 40873d CloseHandle CloseHandle 16178->16179 16180 40874f 16178->16180 16179->16153 16181 407ee6 64 API calls 16180->16181 16182 408754 16181->16182 16183 407ead 6 API calls 16182->16183 16184 40875a 16183->16184 16184->16160 16191 40a63d 16185->16191 16187 40a685 16187->16089 16189 40a63d GetTickCount 16188->16189 16190 40a696 16189->16190 16190->16089 16192 40a645 16191->16192 16193 40a64d 16191->16193 16192->16187 16194 40a66e 16193->16194 16195 40a65e GetTickCount 16193->16195 16194->16187 16195->16194 16212 40a4c7 GetTickCount 16196->16212 16199 40c45e 16204 40c4d2 16199->16204 16205 40c4ab InterlockedIncrement CreateThread 16199->16205 16200 40c300 GetTickCount 16202 40c337 16200->16202 16201 40c326 16201->16202 16203 40c32b GetTickCount 16201->16203 16202->16199 16207 40c363 GetTickCount 16202->16207 16203->16202 16204->16067 16205->16204 16206 40c4cb CloseHandle 16205->16206 16217 40b535 16205->16217 16206->16204 16207->16199 16208 40c373 16207->16208 16209 40c378 GetTickCount 16208->16209 16210 40c37f 16208->16210 16209->16210 16211 40c43b GetTickCount 16210->16211 16211->16199 16213 40a4f7 InterlockedExchange 16212->16213 16214 40a500 16213->16214 16215 40a4e4 GetTickCount 16213->16215 16214->16199 16214->16200 16214->16201 16215->16214 16216 40a4ef Sleep 16215->16216 16216->16213 16218 40b566 16217->16218 16219 40ebcc 4 API calls 16218->16219 16220 40b587 16219->16220 16221 40ebcc 4 API calls 16220->16221 16270 40b590 16221->16270 16222 40bdcd InterlockedDecrement 16223 40bde2 16222->16223 16225 40ec2e codecvt 4 API calls 16223->16225 16226 40bdea 16225->16226 16228 40ec2e codecvt 4 API calls 16226->16228 16227 40bdb7 Sleep 16227->16270 16229 40bdf2 16228->16229 16231 40be05 16229->16231 16232 40ec2e codecvt 4 API calls 16229->16232 16230 40bdcc 16230->16222 16232->16231 16233 40ebed 8 API calls 16233->16270 16236 40b6b6 lstrlenA 16236->16270 16237 4030b5 2 API calls 16237->16270 16238 40e819 11 API calls 16238->16270 16239 40b6ed lstrcpyA 16292 405ce1 16239->16292 16242 40b731 lstrlenA 16242->16270 16243 40b71f lstrcmpA 16243->16242 16243->16270 16244 40b772 GetTickCount 16244->16270 16245 40bd49 InterlockedIncrement 16386 40a628 16245->16386 16248 40b7ce InterlockedIncrement 16302 40acd7 16248->16302 16249 4038f0 6 API calls 16249->16270 16250 40bc5b InterlockedIncrement 16250->16270 16253 40b912 GetTickCount 16253->16270 16254 40b826 InterlockedIncrement 16254->16244 16255 40b932 GetTickCount 16258 40bc6d InterlockedIncrement 16255->16258 16255->16270 16256 40bcdc closesocket 16256->16270 16257 405ce1 22 API calls 16257->16270 16258->16270 16259 40ab81 lstrcpynA InterlockedIncrement 16259->16270 16263 40bba6 InterlockedIncrement 16263->16270 16264 40bc4c closesocket 16264->16270 16266 40ba71 wsprintfA 16320 40a7c1 16266->16320 16267 405ded 12 API calls 16267->16270 16270->16222 16270->16227 16270->16230 16270->16233 16270->16236 16270->16237 16270->16238 16270->16239 16270->16242 16270->16243 16270->16244 16270->16245 16270->16248 16270->16249 16270->16250 16270->16253 16270->16254 16270->16255 16270->16256 16270->16257 16270->16259 16270->16263 16270->16264 16270->16266 16270->16267 16271 40a7c1 22 API calls 16270->16271 16272 40ef1e lstrlenA 16270->16272 16273 40a688 GetTickCount 16270->16273 16274 403e10 16270->16274 16277 403e4f 16270->16277 16280 40384f 16270->16280 16300 40a7a3 inet_ntoa 16270->16300 16307 40abee 16270->16307 16319 401feb GetTickCount 16270->16319 16340 403cfb 16270->16340 16343 40b3c5 16270->16343 16374 40ab81 16270->16374 16271->16270 16272->16270 16273->16270 16275 4030fa 4 API calls 16274->16275 16276 403e1d 16275->16276 16276->16270 16278 4030fa 4 API calls 16277->16278 16279 403e5c 16278->16279 16279->16270 16281 4030fa 4 API calls 16280->16281 16282 403863 16281->16282 16283 4038b9 16282->16283 16284 403889 16282->16284 16291 4038b2 16282->16291 16395 4035f9 16283->16395 16389 403718 16284->16389 16289 4035f9 6 API calls 16289->16291 16290 403718 6 API calls 16290->16291 16291->16270 16293 405cf4 16292->16293 16294 405cec 16292->16294 16296 404bd1 4 API calls 16293->16296 16401 404bd1 GetTickCount 16294->16401 16297 405d02 16296->16297 16406 405472 16297->16406 16301 40a7b9 16300->16301 16301->16270 16303 40f315 14 API calls 16302->16303 16304 40aceb 16303->16304 16305 40acff 16304->16305 16306 40f315 14 API calls 16304->16306 16305->16270 16306->16305 16308 40abfb 16307->16308 16311 40ac65 16308->16311 16469 402f22 16308->16469 16310 40f315 14 API calls 16310->16311 16311->16310 16312 40ac6f 16311->16312 16318 40ac8a 16311->16318 16313 40ab81 2 API calls 16312->16313 16314 40ac81 16313->16314 16477 4038f0 16314->16477 16315 402684 2 API calls 16317 40ac23 16315->16317 16317->16311 16317->16315 16318->16270 16319->16270 16321 40a87d lstrlenA send 16320->16321 16322 40a7df 16320->16322 16325 40a899 16321->16325 16326 40a8bf 16321->16326 16322->16321 16323 40a8f2 16322->16323 16324 40a80a 16322->16324 16331 40a7fa wsprintfA 16322->16331 16328 40a978 recv 16323->16328 16332 40a9b0 wsprintfA 16323->16332 16333 40a982 16323->16333 16324->16321 16329 40a8a5 wsprintfA 16325->16329 16339 40a89e 16325->16339 16326->16323 16327 40a8c4 send 16326->16327 16327->16323 16330 40a8d8 wsprintfA 16327->16330 16328->16323 16328->16333 16329->16339 16330->16339 16331->16324 16332->16339 16334 4030b5 2 API calls 16333->16334 16333->16339 16335 40ab05 16334->16335 16336 40e819 11 API calls 16335->16336 16337 40ab17 16336->16337 16338 40a7a3 inet_ntoa 16337->16338 16338->16339 16339->16270 16341 4030fa 4 API calls 16340->16341 16342 403d0b 16341->16342 16342->16270 16344 405ce1 22 API calls 16343->16344 16345 40b3e6 16344->16345 16346 405ce1 22 API calls 16345->16346 16348 40b404 16346->16348 16347 40b440 16350 40ef7c 3 API calls 16347->16350 16348->16347 16349 40ef7c 3 API calls 16348->16349 16351 40b42b 16349->16351 16352 40b458 wsprintfA 16350->16352 16353 40ef7c 3 API calls 16351->16353 16354 40ef7c 3 API calls 16352->16354 16353->16347 16355 40b480 16354->16355 16356 40ef7c 3 API calls 16355->16356 16357 40b493 16356->16357 16358 40ef7c 3 API calls 16357->16358 16359 40b4bb 16358->16359 16491 40ad89 GetLocalTime SystemTimeToFileTime 16359->16491 16363 40b4cc 16364 40ef7c 3 API calls 16363->16364 16365 40b4dd 16364->16365 16366 40b211 7 API calls 16365->16366 16367 40b4ec 16366->16367 16368 40ef7c 3 API calls 16367->16368 16369 40b4fd 16368->16369 16370 40b211 7 API calls 16369->16370 16371 40b509 16370->16371 16372 40ef7c 3 API calls 16371->16372 16373 40b51a 16372->16373 16373->16270 16375 40abe9 GetTickCount 16374->16375 16377 40ab8c 16374->16377 16379 40a51d 16375->16379 16376 40aba8 lstrcpynA 16376->16377 16377->16375 16377->16376 16378 40abe1 InterlockedIncrement 16377->16378 16378->16377 16380 40a4c7 4 API calls 16379->16380 16381 40a52c 16380->16381 16382 40a542 GetTickCount 16381->16382 16384 40a539 GetTickCount 16381->16384 16382->16384 16385 40a56c 16384->16385 16385->16270 16387 40a4c7 4 API calls 16386->16387 16388 40a633 16387->16388 16388->16270 16390 40f04e 4 API calls 16389->16390 16392 40372a 16390->16392 16391 403847 16391->16290 16391->16291 16392->16391 16393 4037b3 GetCurrentThreadId 16392->16393 16393->16392 16394 4037c8 GetCurrentThreadId 16393->16394 16394->16392 16396 40f04e 4 API calls 16395->16396 16400 40360c 16396->16400 16397 4036f1 16397->16289 16397->16291 16398 4036da GetCurrentThreadId 16398->16397 16399 4036e5 GetCurrentThreadId 16398->16399 16399->16397 16400->16397 16400->16398 16402 404bff InterlockedExchange 16401->16402 16403 404c08 16402->16403 16404 404bec GetTickCount 16402->16404 16403->16293 16404->16403 16405 404bf7 Sleep 16404->16405 16405->16402 16425 404763 16406->16425 16408 405b58 16435 404699 16408->16435 16411 404763 lstrlenA 16412 405b6e 16411->16412 16456 404f9f 16412->16456 16414 405b79 16414->16270 16415 40548a 16415->16408 16419 40558d lstrcpynA 16415->16419 16420 405a9f lstrcpyA 16415->16420 16421 405935 lstrcpynA 16415->16421 16422 405472 13 API calls 16415->16422 16423 4058e7 lstrcpyA 16415->16423 16424 404ae6 8 API calls 16415->16424 16429 404ae6 16415->16429 16433 40ef7c lstrlenA lstrlenA lstrlenA 16415->16433 16417 405549 lstrlenA 16417->16415 16419->16415 16420->16415 16421->16415 16422->16415 16423->16415 16424->16415 16427 40477a 16425->16427 16426 404859 16426->16415 16427->16426 16428 40480d lstrlenA 16427->16428 16428->16427 16430 404af3 16429->16430 16432 404b03 16429->16432 16431 40ebed 8 API calls 16430->16431 16431->16432 16432->16417 16434 40efb4 16433->16434 16434->16415 16461 4045b3 16435->16461 16438 4045b3 7 API calls 16439 4046c6 16438->16439 16440 4045b3 7 API calls 16439->16440 16441 4046d8 16440->16441 16442 4045b3 7 API calls 16441->16442 16443 4046ea 16442->16443 16444 4045b3 7 API calls 16443->16444 16445 4046ff 16444->16445 16446 4045b3 7 API calls 16445->16446 16447 404711 16446->16447 16448 4045b3 7 API calls 16447->16448 16449 404723 16448->16449 16450 40ef7c 3 API calls 16449->16450 16451 404735 16450->16451 16452 40ef7c 3 API calls 16451->16452 16453 40474a 16452->16453 16454 40ef7c 3 API calls 16453->16454 16455 40475c 16454->16455 16455->16411 16457 404fac 16456->16457 16460 404fb0 16456->16460 16457->16414 16458 404ffd 16458->16414 16459 404fd5 IsBadCodePtr 16459->16460 16460->16458 16460->16459 16462 4045c1 16461->16462 16463 4045c8 16461->16463 16464 40ebcc 4 API calls 16462->16464 16465 40ebcc 4 API calls 16463->16465 16467 4045e1 16463->16467 16464->16463 16465->16467 16466 404691 16466->16438 16467->16466 16468 40ef7c 3 API calls 16467->16468 16468->16467 16484 402d21 GetModuleHandleA 16469->16484 16472 402f4f 16474 402f6b GetProcessHeap HeapFree 16472->16474 16473 402fcf GetProcessHeap HeapFree 16476 402f44 16473->16476 16474->16476 16475 402f85 16475->16473 16476->16317 16478 403900 16477->16478 16482 403980 16477->16482 16479 4030fa 4 API calls 16478->16479 16483 40390a 16479->16483 16480 40391b GetCurrentThreadId 16480->16483 16481 403939 GetCurrentThreadId 16481->16483 16482->16318 16483->16480 16483->16481 16483->16482 16485 402d46 LoadLibraryA 16484->16485 16486 402d5b GetProcAddress 16484->16486 16485->16486 16488 402d54 16485->16488 16486->16488 16490 402d6b 16486->16490 16487 402d97 GetProcessHeap HeapAlloc 16487->16488 16487->16490 16488->16472 16488->16475 16488->16476 16489 402db5 lstrcpynA 16489->16490 16490->16487 16490->16488 16490->16489 16492 40adbf 16491->16492 16516 40ad08 gethostname 16492->16516 16495 4030b5 2 API calls 16496 40add3 16495->16496 16497 40a7a3 inet_ntoa 16496->16497 16504 40ade4 16496->16504 16497->16504 16498 40ae85 wsprintfA 16499 40ef7c 3 API calls 16498->16499 16500 40aebb 16499->16500 16503 40ef7c 3 API calls 16500->16503 16501 40ae36 wsprintfA wsprintfA 16502 40ef7c 3 API calls 16501->16502 16502->16504 16505 40aed2 16503->16505 16504->16498 16504->16501 16506 40b211 16505->16506 16507 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16506->16507 16508 40b2af GetLocalTime 16506->16508 16509 40b2d2 16507->16509 16508->16509 16510 40b2d9 SystemTimeToFileTime 16509->16510 16511 40b31c GetTimeZoneInformation 16509->16511 16512 40b2ec 16510->16512 16513 40b33a wsprintfA 16511->16513 16514 40b312 FileTimeToSystemTime 16512->16514 16513->16363 16514->16511 16517 40ad71 16516->16517 16522 40ad26 lstrlenA 16516->16522 16519 40ad85 16517->16519 16520 40ad79 lstrcpyA 16517->16520 16519->16495 16520->16519 16521 40ad68 lstrlenA 16521->16517 16522->16517 16522->16521 16524 40f428 14 API calls 16523->16524 16525 40198a 16524->16525 16526 401990 closesocket 16525->16526 16527 401998 16525->16527 16526->16527 16527->16106 16529 402d21 6 API calls 16528->16529 16530 402f01 16529->16530 16531 402f0f 16530->16531 16544 402df2 GetModuleHandleA 16530->16544 16532 402684 2 API calls 16531->16532 16535 402f1f 16531->16535 16534 402f1d 16532->16534 16534->16122 16535->16122 16537 401c80 16536->16537 16538 401cc2 wsprintfA 16537->16538 16539 401d1c 16537->16539 16543 401d79 16537->16543 16540 402684 2 API calls 16538->16540 16539->16539 16541 401d47 wsprintfA 16539->16541 16540->16537 16542 402684 2 API calls 16541->16542 16542->16543 16543->16115 16545 402e10 LoadLibraryA 16544->16545 16546 402e0b 16544->16546 16547 402e17 16545->16547 16546->16545 16546->16547 16548 402ef1 16547->16548 16549 402e28 GetProcAddress 16547->16549 16548->16531 16549->16548 16550 402e3e GetProcessHeap HeapAlloc 16549->16550 16554 402e62 16550->16554 16551 402ede GetProcessHeap HeapFree 16551->16548 16552 402e7f htons inet_addr 16553 402ea5 gethostbyname 16552->16553 16552->16554 16553->16554 16554->16548 16554->16551 16554->16552 16554->16553 16556 402ceb 16554->16556 16557 402cf2 16556->16557 16559 402d1c 16557->16559 16560 402d0e Sleep 16557->16560 16561 402a62 GetProcessHeap HeapAlloc 16557->16561 16559->16554 16560->16557 16560->16559 16562 402a92 16561->16562 16563 402a99 socket 16561->16563 16562->16557 16564 402cd3 GetProcessHeap HeapFree 16563->16564 16565 402ab4 16563->16565 16564->16562 16565->16564 16579 402abd 16565->16579 16566 402adb htons 16581 4026ff 16566->16581 16568 402b04 select 16568->16579 16569 402ca4 16570 402cb3 GetProcessHeap HeapFree closesocket 16569->16570 16570->16562 16571 402b3f recv 16571->16579 16572 402b66 htons 16572->16569 16572->16579 16573 402b87 htons 16573->16569 16573->16579 16576 402bf3 GetProcessHeap HeapAlloc 16576->16579 16577 402c17 htons 16596 402871 16577->16596 16579->16566 16579->16568 16579->16569 16579->16570 16579->16571 16579->16572 16579->16573 16579->16576 16579->16577 16580 402c4d GetProcessHeap HeapFree 16579->16580 16588 402923 16579->16588 16600 402904 16579->16600 16580->16579 16582 40271d 16581->16582 16583 402717 16581->16583 16585 40272b GetTickCount htons 16582->16585 16584 40ebcc 4 API calls 16583->16584 16584->16582 16586 4027cc htons htons sendto 16585->16586 16587 40278a 16585->16587 16586->16579 16587->16586 16589 402944 16588->16589 16591 40293d 16588->16591 16604 402816 htons 16589->16604 16591->16579 16592 402871 htons 16595 402950 16592->16595 16593 4029bd htons htons htons 16593->16591 16594 4029f6 GetProcessHeap HeapAlloc 16593->16594 16594->16591 16594->16595 16595->16591 16595->16592 16595->16593 16597 4028e3 16596->16597 16599 402889 16596->16599 16597->16579 16598 4028c3 htons 16598->16597 16598->16599 16599->16597 16599->16598 16601 402921 16600->16601 16602 402908 16600->16602 16601->16579 16603 402909 GetProcessHeap HeapFree 16602->16603 16603->16601 16603->16603 16605 40286b 16604->16605 16606 402836 16604->16606 16605->16595 16606->16605 16607 40285c htons 16606->16607 16607->16605 16607->16606 16609 406bc0 16608->16609 16610 406bbc 16608->16610 16611 40ebcc 4 API calls 16609->16611 16621 406bd4 16609->16621 16610->16147 16612 406be4 16611->16612 16613 406c07 CreateFileA 16612->16613 16614 406bfc 16612->16614 16612->16621 16615 406c34 WriteFile 16613->16615 16616 406c2a 16613->16616 16617 40ec2e codecvt 4 API calls 16614->16617 16619 406c49 CloseHandle DeleteFileA 16615->16619 16620 406c5a CloseHandle 16615->16620 16618 40ec2e codecvt 4 API calls 16616->16618 16617->16621 16618->16621 16619->16616 16622 40ec2e codecvt 4 API calls 16620->16622 16621->16147 16622->16621 14927 48217e 14930 48218e 14927->14930 14931 48219d 14930->14931 14934 48292e 14931->14934 14935 482949 14934->14935 14936 482952 CreateToolhelp32Snapshot 14935->14936 14937 48296e Module32First 14935->14937 14936->14935 14936->14937 14938 48297d 14937->14938 14940 48218d 14937->14940 14941 4825ed 14938->14941 14942 482618 14941->14942 14943 482629 VirtualAlloc 14942->14943 14944 482661 14942->14944 14943->14944 14944->14944 14945 5c0005 14950 5c092b GetPEB 14945->14950 14947 5c0030 14952 5c003c 14947->14952 14951 5c0972 14950->14951 14951->14947 14953 5c0049 14952->14953 14967 5c0e0f SetErrorMode SetErrorMode 14953->14967 14958 5c0265 14959 5c02ce VirtualProtect 14958->14959 14961 5c030b 14959->14961 14960 5c0439 VirtualFree 14965 5c05f4 LoadLibraryA 14960->14965 14966 5c04be 14960->14966 14961->14960 14962 5c04e3 LoadLibraryA 14962->14966 14964 5c08c7 14965->14964 14966->14962 14966->14965 14968 5c0223 14967->14968 14969 5c0d90 14968->14969 14970 5c0dad 14969->14970 14971 5c0dbb GetPEB 14970->14971 14972 5c0238 VirtualAlloc 14970->14972 14971->14972 14972->14958

                                                                      Executed Functions

                                                                      Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\lYWiDKe1In.exe), ref: 0040A407
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\lYWiDKe1In.exe$C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$D$P$\$djiglggs
                                                                      • API String ID: 2089075347-874398138
                                                                      • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                      • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                      Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                      Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                      Function 005C003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 386 5c003c-5c0047 387 5c004c-5c0263 call 5c0a3f call 5c0e0f call 5c0d90 VirtualAlloc 386->387 388 5c0049 386->388 403 5c028b-5c0292 387->403 404 5c0265-5c0289 call 5c0a69 387->404 388->387 405 5c02a1-5c02b0 403->405 408 5c02ce-5c03c2 VirtualProtect call 5c0cce call 5c0ce7 404->408 405->408 409 5c02b2-5c02cc 405->409 415 5c03d1-5c03e0 408->415 409->405 416 5c0439-5c04b8 VirtualFree 415->416 417 5c03e2-5c0437 call 5c0ce7 415->417 418 5c04be-5c04cd 416->418 419 5c05f4-5c05fe 416->419 417->415 421 5c04d3-5c04dd 418->421 422 5c077f-5c0789 419->422 423 5c0604-5c060d 419->423 421->419 427 5c04e3-5c0505 LoadLibraryA 421->427 425 5c078b-5c07a3 422->425 426 5c07a6-5c07b0 422->426 423->422 428 5c0613-5c0637 423->428 425->426 430 5c086e-5c08be LoadLibraryA 426->430 431 5c07b6-5c07cb 426->431 432 5c0517-5c0520 427->432 433 5c0507-5c0515 427->433 434 5c063e-5c0648 428->434 438 5c08c7-5c08f9 430->438 435 5c07d2-5c07d5 431->435 436 5c0526-5c0547 432->436 433->436 434->422 437 5c064e-5c065a 434->437 439 5c0824-5c0833 435->439 440 5c07d7-5c07e0 435->440 441 5c054d-5c0550 436->441 437->422 442 5c0660-5c066a 437->442 443 5c08fb-5c0901 438->443 444 5c0902-5c091d 438->444 450 5c0839-5c083c 439->450 445 5c07e4-5c0822 440->445 446 5c07e2 440->446 447 5c0556-5c056b 441->447 448 5c05e0-5c05ef 441->448 449 5c067a-5c0689 442->449 443->444 445->435 446->439 451 5c056d 447->451 452 5c056f-5c057a 447->452 448->421 453 5c068f-5c06b2 449->453 454 5c0750-5c077a 449->454 450->430 455 5c083e-5c0847 450->455 451->448 457 5c057c-5c0599 452->457 458 5c059b-5c05bb 452->458 459 5c06ef-5c06fc 453->459 460 5c06b4-5c06ed 453->460 454->434 461 5c0849 455->461 462 5c084b-5c086c 455->462 469 5c05bd-5c05db 457->469 458->469 463 5c06fe-5c0748 459->463 464 5c074b 459->464 460->459 461->430 462->450 463->464 464->449 469->441
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005C024D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: cess$kernel32.dll
                                                                      • API String ID: 4275171209-1230238691
                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction ID: 6ecb9a989f5fd5804ff419ab53124b423b4e5802c40885b424a45b5415c66c11
                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                      • Instruction Fuzzy Hash: D2526974A01229DFDB64CF98C985BA8BBB1BF09304F1480D9E54DAB391DB30AE95DF14
                                                                      Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                      APIs
                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2098669666-2746444292
                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                      Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 502 404059-40405c 500->502 503 404052 501->503 504 404037-40403a 501->504 505 404054-404056 502->505 503->505 504->503 506 40403c-40403f 504->506 506->502 507 404041-404050 Sleep 506->507 507->499 507->503
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID:
                                                                      • API String ID: 408151869-0
                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                      Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                      Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID:
                                                                      • API String ID: 2370142434-0
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                      Function 0048292E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 519 48292e-482947 520 482949-48294b 519->520 521 48294d 520->521 522 482952-48295e CreateToolhelp32Snapshot 520->522 521->522 523 48296e-48297b Module32First 522->523 524 482960-482966 522->524 525 48297d-48297e call 4825ed 523->525 526 482984-48298c 523->526 524->523 529 482968-48296c 524->529 530 482983 525->530 529->520 529->523 530->526
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00482956
                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 00482976
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039369993.000000000047E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0047E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_47e000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 3833638111-0
                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction ID: c4dfd540e5637bc2e5cee85e45973f869f5db8d59279cf8e37de62094fcefde4
                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                      • Instruction Fuzzy Hash: 7CF0C2316007116BD7203AB99A8DB6FB6E8AF49324F50092AE642A11C0CAB4EC454B64
                                                                      Function 005C0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 532 5c0e0f-5c0e24 SetErrorMode * 2 533 5c0e2b-5c0e2c 532->533 534 5c0e26 532->534 534->533
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,005C0223,?,?), ref: 005C0E19
                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,005C0223,?,?), ref: 005C0E1E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction ID: 62d43324511f6a0460b43ce37119c2a39e606a598f81983a70edaf776378af12
                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                      • Instruction Fuzzy Hash: 17D01231145128B7D7003AD4DC09BCD7F1CDF05B62F008411FB0DD9080C770994046E5
                                                                      Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 535 406dc2-406dd5 536 406e33-406e35 535->536 537 406dd7-406df1 call 406cc9 call 40ef00 535->537 542 406df4-406df9 537->542 542->542 543 406dfb-406e00 542->543 544 406e02-406e22 GetVolumeInformationA 543->544 545 406e24 543->545 544->545 546 406e2e 544->546 545->546 546->536
                                                                      APIs
                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                      • String ID:
                                                                      • API String ID: 1823874839-0
                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                      Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 547 409892-4098c0 548 4098c2-4098c5 547->548 549 4098d9 547->549 548->549 550 4098c7-4098d7 548->550 551 4098e0-4098f1 SetServiceStatus 549->551 550->551
                                                                      APIs
                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ServiceStatus
                                                                      • String ID:
                                                                      • API String ID: 3969395364-0
                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                      Function 004825ED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 552 4825ed-482627 call 482900 555 482629-48265c VirtualAlloc call 48267a 552->555 556 482675 552->556 558 482661-482673 555->558 556->556 558->556
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0048263E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039369993.000000000047E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0047E000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_47e000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID:
                                                                      • API String ID: 4275171209-0
                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction ID: e9bb3173a4d00666d6a4603f96e719b23f32a09072679c703b8758cc468a13f9
                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                      • Instruction Fuzzy Hash: F2112B79A00208EFDB01DF98CA85E99BBF5AF08350F058095F948AB362D375EA50DB84
                                                                      Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 559 4098f2-4098f4 560 4098f6-409902 call 404280 559->560 563 409904-409913 Sleep 560->563 564 409917 560->564 563->560 567 409915 563->567 565 409919-409942 call 402544 call 40977c 564->565 566 40995e-409960 564->566 571 409947-409957 call 40ee2a 565->571 567->564 571->566
                                                                      APIs
                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventSleep
                                                                      • String ID:
                                                                      • API String ID: 3100162736-0
                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED

                                                                      Non-executed Functions

                                                                      Function 005C65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 005C65F6
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 005C6610
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 005C6631
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 005C6652
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction ID: e4b591e5d9bf9a23b4185c028bd8908f389d3e51b28772f659cf28a5733e3cd1
                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                      • Instruction Fuzzy Hash: 5911A3B1600219BFDB219FA5DC0AF9B3FA8FB047A5F104029F908E7251DBB1DE4087A4
                                                                      Function 005C9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32 ref: 005C9E6D
                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 005C9FE1
                                                                      • lstrcat.KERNEL32(?,?), ref: 005C9FF2
                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 005CA004
                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 005CA054
                                                                      • DeleteFileA.KERNEL32(?), ref: 005CA09F
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 005CA0D6
                                                                      • lstrcpy.KERNEL32 ref: 005CA12F
                                                                      • lstrlen.KERNEL32(00000022), ref: 005CA13C
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 005C9F13
                                                                        • Part of subcall function 005C7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 005C7081
                                                                        • Part of subcall function 005C6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\xdcafaam,005C7043), ref: 005C6F4E
                                                                        • Part of subcall function 005C6F30: GetProcAddress.KERNEL32(00000000), ref: 005C6F55
                                                                        • Part of subcall function 005C6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005C6F7B
                                                                        • Part of subcall function 005C6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005C6F92
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 005CA1A2
                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005CA1C5
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 005CA214
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 005CA21B
                                                                      • GetDriveTypeA.KERNEL32(?), ref: 005CA265
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005CA29F
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005CA2C5
                                                                      • lstrcat.KERNEL32(?,00000022), ref: 005CA2D9
                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 005CA2F4
                                                                      • wsprintfA.USER32 ref: 005CA31D
                                                                      • lstrcat.KERNEL32(?,00000000), ref: 005CA345
                                                                      • lstrcat.KERNEL32(?,?), ref: 005CA364
                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 005CA387
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 005CA398
                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 005CA1D1
                                                                        • Part of subcall function 005C9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 005C999D
                                                                        • Part of subcall function 005C9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 005C99BD
                                                                        • Part of subcall function 005C9966: RegCloseKey.ADVAPI32(?), ref: 005C99C6
                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 005CA3DB
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 005CA3E2
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 005CA41D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                      • String ID: "$"$"$D$P$\
                                                                      • API String ID: 1653845638-2605685093
                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction ID: 605311580d601c62aa869f481e45bc355f100906f227cc821003a98aba95ce42
                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                      • Instruction Fuzzy Hash: AAF12CB1C4025EAFDB21DBE09C4DFEE7FBCBB48704F1444AAE605E2141E7758A848B65
                                                                      Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                      Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                      Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$D
                                                                      • API String ID: 2976863881-2485478636
                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                      Function 005C7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 005C7D21
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005C7D46
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005C7D7D
                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 005C7DA2
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005C7DC0
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005C7DD1
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005C7DE5
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005C7DF3
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005C7E03
                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 005C7E12
                                                                      • LocalFree.KERNEL32(00000000), ref: 005C7E19
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005C7E35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$D
                                                                      • API String ID: 2976863881-2485478636
                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction ID: c49d6aa04595fe46029f050a9334c6865f743d1fad6fc124cde9088afc3bf3eb
                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                      • Instruction Fuzzy Hash: D3A13B7290021DAFDB218FA1DD88FEEBFBDFB48340F148069E515E6150EB758A85CB64
                                                                      Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                      Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                      Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                      Function 005C7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005C7A96
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005C7ACD
                                                                      • GetLengthSid.ADVAPI32(?), ref: 005C7ADF
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 005C7B01
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 005C7B1F
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005C7B39
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005C7B4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005C7B58
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 005C7B68
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 005C7B77
                                                                      • LocalFree.KERNEL32(00000000), ref: 005C7B7E
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005C7B9A
                                                                      • GetAce.ADVAPI32(?,?,?), ref: 005C7BCA
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005C7BF1
                                                                      • DeleteAce.ADVAPI32(?,?), ref: 005C7C0A
                                                                      • EqualSid.ADVAPI32(?,?), ref: 005C7C2C
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 005C7CB1
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 005C7CBF
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 005C7CD0
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 005C7CE0
                                                                      • LocalFree.KERNEL32(00000000), ref: 005C7CEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction ID: 9678d6fcf4565dc9d82125a869e2d242b8cad4716a3ba0218cfa40f8b89fce20
                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                      • Instruction Fuzzy Hash: 6981177190421EAFDB21CFA4DD88FEEBFB8BB08344F14806AE515E6150E7759A41CFA4
                                                                      Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$localcfg
                                                                      • API String ID: 237177642-1464199976
                                                                      • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                      • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                      Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-3716895483
                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                      Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                      Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 835516345-270533642
                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                      Function 005C858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 005C865A
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 005C867B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 005C86A8
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 005C86B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: "$C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe
                                                                      • API String ID: 237177642-1720201223
                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction ID: eda82de5fce40262b0e7091062b969c76bf2bd22926c3d0b75b1dda65d28b9a0
                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                      • Instruction Fuzzy Hash: 6DC19E71900209BEEB11ABE4DC89FFF7FBDFB58300F14446AF605A6051EBB14A948B65
                                                                      Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                      • select.WS2_32 ref: 00402B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                      Function 005C14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 005C1601
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 005C17D8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $<$@$D
                                                                      • API String ID: 1628651668-1974347203
                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction ID: 67e1a7eb92e4ea1571c2d2b6b99d24187ff609102a9340f3ed215dcbaf1aa5af
                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                      • Instruction Fuzzy Hash: 4CF19DB15087419FD720DFA4C888FABBBE4FB8A300F10892DF59697291D7B4D944CB5A
                                                                      Function 005C7666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 005C76D9
                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 005C7757
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 005C778F
                                                                      • ___ascii_stricmp.LIBCMT ref: 005C78B4
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005C794E
                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 005C796D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005C797E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005C79AC
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005C7A56
                                                                        • Part of subcall function 005CF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,005C772A,?), ref: 005CF414
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 005C79F6
                                                                      • RegCloseKey.ADVAPI32(?), ref: 005C7A4D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction ID: c022033e79e86d34beae967185b11e0a5803016221f8480a280aea3903ce64e6
                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                      • Instruction Fuzzy Hash: 1DC19F7290420AAFDB219BE4DC49FEE7FB9FF49710F1440A9F504A6191EB719A848F60
                                                                      Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                      • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"
                                                                      • API String ID: 4293430545-3817095088
                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                      Function 005C2CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005C2CED
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 005C2D07
                                                                      • htons.WS2_32(00000000), ref: 005C2D42
                                                                      • select.WS2_32 ref: 005C2D8F
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 005C2DB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005C2E62
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 127016686-0
                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction ID: ad6bcada282b585c50769673881b96fdb7f5b0e10af0f56ce44bc0b07f2f6330
                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                      • Instruction Fuzzy Hash: B161CD71508309AFC320AFA4DC09F6BBFF8FB88741F10481DF985A6251D7B4D8808BA6
                                                                      Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                      Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                      Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                      • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 2622201749-0
                                                                      • Opcode ID: 15625d6cb101808bdea6f9395adb21b3a8eafb42943f0309c545178590061202
                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                      • Opcode Fuzzy Hash: 15625d6cb101808bdea6f9395adb21b3a8eafb42943f0309c545178590061202
                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                      Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: runas
                                                                      • API String ID: 3696105349-4000483414
                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                      Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                      Function 005C1FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 005C202D
                                                                      • GetSystemInfo.KERNEL32(?), ref: 005C204F
                                                                      • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 005C206A
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005C2071
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 005C2082
                                                                      • GetTickCount.KERNEL32 ref: 005C2230
                                                                        • Part of subcall function 005C1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 005C1E7C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                      • API String ID: 4207808166-1391650218
                                                                      • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction ID: 66855945cb503caba2e9fbd1f3b13a383ae36782ebeaf6b3be5e962a0e56106f
                                                                      • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                      • Instruction Fuzzy Hash: 4751E5B05003486FE330AFB58C8AF67BEECFB94704F04491DF99692142D7B9A944C765
                                                                      Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                      • API String ID: 3976553417-1522128867
                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                      Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                      Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2404124870-0
                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                      Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                      Function 005C3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 005C3068
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 005C3078
                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 005C3095
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005C30B6
                                                                      • htons.WS2_32(00000035), ref: 005C30EF
                                                                      • inet_addr.WS2_32(?), ref: 005C30FA
                                                                      • gethostbyname.WS2_32(?), ref: 005C310D
                                                                      • HeapFree.KERNEL32(00000000), ref: 005C314D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: iphlpapi.dll
                                                                      • API String ID: 2869546040-3565520932
                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction ID: 92ab64d8cf2010f0eab9abad36e649defe0c3385bd42d9d78dba06196f9f9ae2
                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                      • Instruction Fuzzy Hash: B9314431A0060AAFDB119BF49C48FAE7FB8BF05761F188169E518E7290DB74DA41CB54
                                                                      Function 005C958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?), ref: 005C95A7
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005C95D5
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005C95DC
                                                                      • wsprintfA.USER32 ref: 005C9635
                                                                      • wsprintfA.USER32 ref: 005C9673
                                                                      • wsprintfA.USER32 ref: 005C96F4
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 005C9758
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005C978D
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 005C97D8
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID:
                                                                      • API String ID: 3696105349-0
                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction ID: b4b4c1eab8f3a2d12ca5c5dafb8dd81f6cf35f9b0b265ae1aaf25ae501ba6174
                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                      • Instruction Fuzzy Hash: E4A15CB1900249EFEB21DFE0DC89FDA3BACFB45741F10402AFA1596152E7B5D984CBA4
                                                                      Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 3560063639-3847274415
                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                      Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-1625972887
                                                                      • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                      • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                      Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 3188212458-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                      Function 005C6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 005C67C3
                                                                      • htonl.WS2_32(?), ref: 005C67DF
                                                                      • htonl.WS2_32(?), ref: 005C67EE
                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 005C68F1
                                                                      • ExitProcess.KERNEL32 ref: 005C69BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                      • String ID: except_info$localcfg
                                                                      • API String ID: 1150517154-3605449297
                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction ID: 8eee0d913537414b03bb2c6dad80c9cbd4da845d892c5d8637fb1c049bfab8ef
                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                      • Instruction Fuzzy Hash: A6616F71940208AFDB609FA4DC45FEA7BF9FB48300F14806AF96DD2161DA759990CF54
                                                                      Function 005CF57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • htons.WS2_32(005CCC84), ref: 005CF5B4
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 005CF5CE
                                                                      • closesocket.WS2_32(00000000), ref: 005CF5DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction ID: 0433abc04acec01eb0307ce898a0e9b29d2023356dc3412c4a007ab2734f1a89
                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                      • Instruction Fuzzy Hash: 19315C72900119AFDB10DFA5EC89EEE7BBDFF88310F10456AF915E3150E7709A818BA4
                                                                      Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                      • wsprintfA.USER32 ref: 00407036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                      Function 005C2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?), ref: 005C2FA1
                                                                      • LoadLibraryA.KERNEL32(?), ref: 005C2FB1
                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 005C2FC8
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 005C3000
                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 005C3007
                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 005C3032
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                      • String ID: dnsapi.dll
                                                                      • API String ID: 1242400761-3175542204
                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction ID: f326c08418cd090a13f3bc69f308ef3fd3d649f185a3b8fcadb49b9dcc287059
                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                      • Instruction Fuzzy Hash: 57213272941629BFCB219B95DC49EAEBFB8FF08B50F108429F905E7140D7B49E8187D4
                                                                      Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                      • API String ID: 1082366364-3395550214
                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                      Function 005C99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 005C9A18
                                                                      • GetThreadContext.KERNEL32(?,?), ref: 005C9A52
                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 005C9A60
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 005C9A98
                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 005C9AB5
                                                                      • ResumeThread.KERNEL32(?), ref: 005C9AC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction ID: 346a49e883c37cc5af43a20f43d233c39085eb0c9f64ef66b53cd8124ab905cf
                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                      • Instruction Fuzzy Hash: 1E2117B1A01219BFDB119BE1DC09FEFBFBCEF04750F404065BA19E1050E6758A84CAA4
                                                                      Function 005C1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(004102D8), ref: 005C1C18
                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 005C1C26
                                                                      • GetProcessHeap.KERNEL32 ref: 005C1C84
                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 005C1C9D
                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 005C1CC1
                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 005C1D02
                                                                      • FreeLibrary.KERNEL32(?), ref: 005C1D0B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                      • String ID:
                                                                      • API String ID: 2324436984-0
                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction ID: ca81c766e7be34fb98d4b3dd5018c8da074eb4cceefb78e8ae34d6a052574671
                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                      • Instruction Fuzzy Hash: 9C315B32E00209AFCB119FE4DC88DAEBFB9FB46311B24447EF502A6111D7B54E80DB98
                                                                      Function 005C6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 005C6CE4
                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 005C6D22
                                                                      • GetLastError.KERNEL32 ref: 005C6DA7
                                                                      • CloseHandle.KERNEL32(?), ref: 005C6DB5
                                                                      • GetLastError.KERNEL32 ref: 005C6DD6
                                                                      • DeleteFileA.KERNEL32(?), ref: 005C6DE7
                                                                      • GetLastError.KERNEL32 ref: 005C6DFD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                      • String ID:
                                                                      • API String ID: 3873183294-0
                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction ID: 5271a8362eb28197a7c125b6023e1b1074db40d228efaff5a26fb905c291a54f
                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                      • Instruction Fuzzy Hash: 1E31C076A00249BFCB019FE49D49FDE7FB9FF88310F14846AE252E3251D7708A558BA1
                                                                      Function 005C6F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\xdcafaam,005C7043), ref: 005C6F4E
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 005C6F55
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 005C6F7B
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 005C6F92
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\xdcafaam
                                                                      • API String ID: 1082366364-2611547163
                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction ID: 6d01b30e846e808e8166e6aaad716cbc2b3fc7db19a24cc78be5542706369c85
                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                      • Instruction Fuzzy Hash: 102165217443447EF3225370AC8DFFB2E4CAB96720F0840ADF400E6482DAD989D6C7AD
                                                                      Function 005CAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: $localcfg
                                                                      • API String ID: 1659193697-2018645984
                                                                      • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction ID: 38905ff970d9c85d292d4723963457ca71e64c8c7b3f504027a336c6d447b876
                                                                      • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                      • Instruction Fuzzy Hash: AF713C71A0030DAEDF218BD4EC86FEE3F69BB4070DF24442EF906A6091DA759D848757
                                                                      Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                      • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                      Function 005CE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005CDF6C: GetCurrentThreadId.KERNEL32 ref: 005CDFBA
                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 005CE8FA
                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,005C6128), ref: 005CE950
                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 005CE989
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 2920362961-1846390581
                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction ID: bd359cfc9f2a41067fd7d28a711b3da3d08bf6404d325d93e03ddac0379cea52
                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                      • Instruction Fuzzy Hash: 9B319C316007069FDB718FA4C88AFA67FE8FB09720F10892EF59687551D374E880CB91
                                                                      Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                      • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                      Function 005C6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction ID: 0505c21ca243ff8bd3ee9f9280304eb518ef4e1832a305047d61e0de66b51bb9
                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                      • Instruction Fuzzy Hash: 86211D76104119BFDB109BE1EC49FDF7FADEB497A1B20842AF502D1091EB70DB4096B4
                                                                      Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                      Function 005C92CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 005C92E2
                                                                      • wsprintfA.USER32 ref: 005C9350
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005C9375
                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 005C9389
                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 005C9394
                                                                      • CloseHandle.KERNEL32(00000000), ref: 005C939B
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction ID: 9bcbe30d9665cc0210447c41846a716e52c23e3cb66d2991f34ea3df43fc0f4e
                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                      • Instruction Fuzzy Hash: 961172B17401157FE72167B1EC0EFEF3E6DEBC8B10F008069BB09A5091EEB44A4187A4
                                                                      Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                      Function 005CC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 005CC6B4
                                                                      • InterlockedIncrement.KERNEL32(005CC74B), ref: 005CC715
                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,005CC747), ref: 005CC728
                                                                      • CloseHandle.KERNEL32(00000000,?,005CC747,00413588,005C8A77), ref: 005CC733
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 1026198776-1857712256
                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction ID: 9ed7ff96c3bf4929f8820d806d4a95f345e797d2e991db7f095f7e5334fd265d
                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                      • Instruction Fuzzy Hash: C7512FB1A01B458FD7649FA9C6C5A26BFE9FB48300B50593EE18BC7A90D774F844CB50
                                                                      Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe
                                                                      • API String ID: 124786226-1056034784
                                                                      • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                      • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                      Function 005CE2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,005CE50A,00000000,00000000,00000000,00020106,00000000,005CE50A,00000000,000000E4), ref: 005CE319
                                                                      • RegSetValueExA.ADVAPI32(005CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005CE38E
                                                                      • RegDeleteValueA.ADVAPI32(005CE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D\), ref: 005CE3BF
                                                                      • RegCloseKey.ADVAPI32(005CE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D\,005CE50A), ref: 005CE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID: D\
                                                                      • API String ID: 2667537340-318309186
                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction ID: 3a03be5e8047c8b5b9aab3c11619027a69032d62e33637b8d1325c8dc64cf899
                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                      • Instruction Fuzzy Hash: 5B214971A00219AFDF209FE5EC8AFEE7F69EF09B50F008425F904A6151E271AA5497A0
                                                                      Function 005C71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 005C71E1
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 005C7228
                                                                      • LocalFree.KERNEL32(?,?,?), ref: 005C7286
                                                                      • wsprintfA.USER32 ref: 005C729D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                      • String ID: |
                                                                      • API String ID: 2539190677-2343686810
                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction ID: b3b18c8fc88ffacbe45da13e36758933acca8e4e874692846961bf24f66fcdca
                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                      • Instruction Fuzzy Hash: 6931F676904209AFDB01DFA8D849FDA7BACEF08314F14806AB959DB101EB75DA488B94
                                                                      Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                      Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID:
                                                                      • API String ID: 1586453840-0
                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                      Function 005CB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 005CB51A
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005CB529
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005CB548
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 005CB590
                                                                      • wsprintfA.USER32 ref: 005CB61E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                      • String ID:
                                                                      • API String ID: 4026320513-0
                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction ID: 4a9fbe775a5e59ed3eb627d0cde722eab1158ff4899fe0f45788086f672f95c9
                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                      • Instruction Fuzzy Hash: 70512EB1D0021DAEDF14DFD5D8899EEBBB9BF48304F10812AF501A6150E7B84AC9CF98
                                                                      Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID:
                                                                      • API String ID: 1371578007-0
                                                                      • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                      • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                      Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                      • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                      Function 005C62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 005C6303
                                                                      • LoadLibraryA.KERNEL32(?), ref: 005C632A
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 005C63B1
                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 005C6405
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 3498078134-0
                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction ID: 8239c9f265b973da40c727b2487653b671d48f56a52001f5266edb54c2395766
                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                      • Instruction Fuzzy Hash: 8C415B71A0020AAFDB14CF98C884FA9BBB8FF04754F24896DE815D7290E775EE41DB90
                                                                      Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                      Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                      • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: A$ A
                                                                      • API String ID: 3343386518-686259309
                                                                      • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                      • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                      Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1802437671-0
                                                                      • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                      • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                      Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                      Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                      Function 005C93AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 005C93C6
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 005C93CD
                                                                      • CharToOemA.USER32(?,?), ref: 005C93DB
                                                                      • wsprintfA.USER32 ref: 005C9410
                                                                        • Part of subcall function 005C92CB: GetTempPathA.KERNEL32(00000400,?), ref: 005C92E2
                                                                        • Part of subcall function 005C92CB: wsprintfA.USER32 ref: 005C9350
                                                                        • Part of subcall function 005C92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005C9375
                                                                        • Part of subcall function 005C92CB: lstrlen.KERNEL32(?,?,00000000), ref: 005C9389
                                                                        • Part of subcall function 005C92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 005C9394
                                                                        • Part of subcall function 005C92CB: CloseHandle.KERNEL32(00000000), ref: 005C939B
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 005C9448
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction ID: f7759ef1b67d1a7cde733f0a7b17b90feabb90ece943a9efc0ca329e29b69166
                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                      • Instruction Fuzzy Hash: 450140F69001197BDB21A7A19D8DFDF3B7CEB95701F0040A5BB49E2080EAB496C58F75
                                                                      Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                      Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 2574300362-1087626847
                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                      Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2777991786-2393279970
                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                      Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID: *p@
                                                                      • API String ID: 3429775523-2474123842
                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                      Function 005C28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg$u6A
                                                                      • API String ID: 1594361348-1940331995
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: fc47509bc1e8080fe20292609598641e6ed40e7f374ce30b408a7adf11002093
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 8BE082306082218FCB008B28F848ACA3BA4AF0A330F008188F080C32A1C7349CC0AA80
                                                                      Function 005C69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 005C69E5
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 005C6A26
                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 005C6A3A
                                                                      • CloseHandle.KERNEL32(000000FF), ref: 005C6BD8
                                                                        • Part of subcall function 005CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005C1DCF,?), ref: 005CEEA8
                                                                        • Part of subcall function 005CEE95: HeapFree.KERNEL32(00000000), ref: 005CEEAF
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                      • String ID:
                                                                      • API String ID: 3384756699-0
                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction ID: d185c706df482f22f419515de25910c8f64503694aed0bfc6e85fba058ffa8be
                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                      • Instruction Fuzzy Hash: 8D71F271900229EFDB109FA4CC85EEEBBB9FB08354F1045AAE515E6190D7349F92DB60
                                                                      Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                      Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                      Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                      Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                      Function 005C417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005C41AB
                                                                      • GetLastError.KERNEL32 ref: 005C41B5
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005C41C6
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005C41D9
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction ID: d13877ea5bdddbf76327d4584d98a86b02b156fb5b8f3fea11a9710a9380139f
                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                      • Instruction Fuzzy Hash: 8101C27691110AAFDB01DF90ED88FEA7BA8BB18355F108065F901E2050D7709AA4CBA6
                                                                      Function 005C41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 005C421F
                                                                      • GetLastError.KERNEL32 ref: 005C4229
                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 005C423A
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 005C424D
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction ID: 2f319d742f53deb00d87fa5ca943588ce300062b4879663a438d77c4d130c274
                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                      • Instruction Fuzzy Hash: 22019072911209AFDF01DF90EE85FEE7BACFB08356F108465F901E2050D770AA549BA6
                                                                      Function 005CE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 005CE066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp
                                                                      • String ID: A$ A$ A
                                                                      • API String ID: 1534048567-1846390581
                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction ID: 09c7fa59e40d728810f64453ea078664598db1b32435db3c59c3002375a9ded7
                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                      • Instruction Fuzzy Hash: 99F06231200702DFCB30CFA5D889F82BBF9FB05321B44862EE154E3060D3B4A899CB95
                                                                      Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                      Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                      Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                      Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                      Function 005CE3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000001,D\,00000000,00000000,00000000), ref: 005CE470
                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 005CE484
                                                                        • Part of subcall function 005CE2FC: RegCreateKeyExA.ADVAPI32(80000001,005CE50A,00000000,00000000,00000000,00020106,00000000,005CE50A,00000000,000000E4), ref: 005CE319
                                                                        • Part of subcall function 005CE2FC: RegSetValueExA.ADVAPI32(005CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 005CE38E
                                                                        • Part of subcall function 005CE2FC: RegDeleteValueA.ADVAPI32(005CE50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D\), ref: 005CE3BF
                                                                        • Part of subcall function 005CE2FC: RegCloseKey.ADVAPI32(005CE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,D\,005CE50A), ref: 005CE3C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                      • String ID: D\
                                                                      • API String ID: 4151426672-318309186
                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction ID: 5840193e4fafde13e52cd60ca4d295b26dbdcaa3791949865c6bc6b7acfbb356
                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                      • Instruction Fuzzy Hash: 8F41A7B6900215BEEB206AD18C8BFEF3F6CFB44764F14802DF90994092E6B58A50D6B5
                                                                      Function 005C8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 005C83C6
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 005C8477
                                                                        • Part of subcall function 005C69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 005C69E5
                                                                        • Part of subcall function 005C69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 005C6A26
                                                                        • Part of subcall function 005C69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 005C6A3A
                                                                        • Part of subcall function 005CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,005C1DCF,?), ref: 005CEEA8
                                                                        • Part of subcall function 005CEE95: HeapFree.KERNEL32(00000000), ref: 005CEEAF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe
                                                                      • API String ID: 359188348-1056034784
                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction ID: 9064207f5ca43699c6aa3ef49b2c1bbca8fa997dc7260a628207f5461678f47e
                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                      • Instruction Fuzzy Hash: 8F415EB290010ABEEF14ABE09DC5EFF7BADFB44344F14446EE504D6011EAB45A948B60
                                                                      Function 005CAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 005CAFFF
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 005CB00D
                                                                        • Part of subcall function 005CAF6F: gethostname.WS2_32(?,00000080), ref: 005CAF83
                                                                        • Part of subcall function 005CAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 005CAFE6
                                                                        • Part of subcall function 005C331C: gethostname.WS2_32(?,00000080), ref: 005C333F
                                                                        • Part of subcall function 005C331C: gethostbyname.WS2_32(?), ref: 005C3349
                                                                        • Part of subcall function 005CAA0A: inet_ntoa.WS2_32(00000000), ref: 005CAA10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %OUTLOOK_BND_
                                                                      • API String ID: 1981676241-3684217054
                                                                      • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction ID: 0cd10a0ddb6904b3bc7f547332a4d6e9155b8629803393065fb5af18d51a3682
                                                                      • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                      • Instruction Fuzzy Hash: 7F416F7290024CAFDB21AFE0DC4AFEE3B6DFB48304F24442AB925A2152EA75D644CB54
                                                                      Function 005C9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 005C9536
                                                                      • Sleep.KERNEL32(000001F4), ref: 005C955D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShellSleep
                                                                      • String ID:
                                                                      • API String ID: 4194306370-3916222277
                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction ID: f5c80694e5ea7d34836f571bf6b38ae086256ee85d3a492ee0bb64cf2d2cf50d
                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                      • Instruction Fuzzy Hash: 7B41E5B19083856EEF379BE4D88DFA67FA8BF42310F2841ADD482971A2D6B44D81C711
                                                                      Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID: ,k@
                                                                      • API String ID: 3934441357-1053005162
                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                      Function 005CBC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 005CB9D9
                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 005CBA3A
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005CBA94
                                                                      • GetTickCount.KERNEL32 ref: 005CBB79
                                                                      • GetTickCount.KERNEL32 ref: 005CBB99
                                                                      • InterlockedIncrement.KERNEL32(?), ref: 005CBE15
                                                                      • closesocket.WS2_32(00000000), ref: 005CBEB4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 1869671989-2903620461
                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction ID: 71d285b43b2509ce31685cac9afd8c0aa440465012197613ac93f0cbfa22c485
                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                      • Instruction Fuzzy Hash: 173158714002489FEF25DFE4DC8AFEA7BB8FB48700F20445AFA2592161EB759A85CB14
                                                                      Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                      • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                      • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                      Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                      Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                      Function 005C709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 005C70BC
                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 005C70F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountLookupUser
                                                                      • String ID: |
                                                                      • API String ID: 2370142434-2343686810
                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction ID: c14b31e28fbe5a9015679bf25ece1a678b248c07e4d14bfc2eb9baa4998cb291
                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                      • Instruction Fuzzy Hash: BD11D67290411CEBDB11CED4D884FDEBBBDBB08711F1881AAE501E6590D6709B88DBA0
                                                                      Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2777991786-1857712256
                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                      Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                      Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                      Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                      Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                      Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039245342.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_400000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                      Function 005C3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005C2F88: GetModuleHandleA.KERNEL32(?), ref: 005C2FA1
                                                                        • Part of subcall function 005C2F88: LoadLibraryA.KERNEL32(?), ref: 005C2FB1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005C31DA
                                                                      • HeapFree.KERNEL32(00000000), ref: 005C31E1
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2039438332.00000000005C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_5c0000_bvvnqaeq.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction ID: 4c09517f8bc0f175ff6ab90e4ad87102c72db5f21f921c0761e1ee14cdb1a58a
                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                      • Instruction Fuzzy Hash: 62519A7590024AAFCF019FA4D888AEABB75FF15304F148569EC9697211E7329A19CB90

                                                                      Execution Graph

                                                                      Execution Coverage:14.3%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:0.7%
                                                                      Total number of Nodes:1828
                                                                      Total number of Limit Nodes:18
                                                                      execution_graph 8076 2cb444a 8077 2cb4458 8076->8077 8078 2cb446a 8077->8078 8079 2cb1940 4 API calls 8077->8079 8079->8078 8080 2cbe749 8081 2cbdd05 6 API calls 8080->8081 8082 2cbe751 8081->8082 8083 2cbe781 lstrcmpA 8082->8083 8084 2cbe799 8082->8084 8083->8082 8208 2cb010f 8209 2cb01d3 8208->8209 8210 2cb100d LoadLibraryA 8209->8210 8214 2cb1023 8209->8214 8211 2cb1021 8210->8211 8210->8214 8212 2cb10b5 GetProcAddress 8213 2cb10d1 GetProcAddress 8212->8213 8215 2cb127b 8212->8215 8213->8215 8216 2cb10f0 GetProcAddress 8213->8216 8214->8212 8229 2cb10ae 8214->8229 8216->8215 8217 2cb1110 GetProcAddress 8216->8217 8217->8215 8218 2cb1130 GetProcAddress 8217->8218 8218->8215 8219 2cb114f GetProcAddress 8218->8219 8219->8215 8220 2cb116f GetProcAddress 8219->8220 8220->8215 8221 2cb118f GetProcAddress 8220->8221 8221->8215 8222 2cb11ae GetProcAddress 8221->8222 8222->8215 8223 2cb11ce GetProcAddress 8222->8223 8223->8215 8224 2cb11ee GetProcAddress 8223->8224 8224->8215 8225 2cb1209 GetProcAddress 8224->8225 8225->8215 8226 2cb1225 GetProcAddress 8225->8226 8226->8215 8227 2cb1241 GetProcAddress 8226->8227 8227->8215 8228 2cb125c GetProcAddress 8227->8228 8228->8215 8085 2cb5e4d 8090 2cb5048 8085->8090 8091 2cb4bd1 4 API calls 8090->8091 8092 2cb5056 8091->8092 8093 2cb508b 8092->8093 8094 2cbec2e codecvt 4 API calls 8092->8094 8094->8093 8230 2cb5e0d 8233 2cb50dc 8230->8233 8232 2cb5e20 8234 2cb4bd1 4 API calls 8233->8234 8235 2cb50f2 8234->8235 8236 2cb4ae6 8 API calls 8235->8236 8242 2cb50ff 8236->8242 8237 2cb5130 8239 2cb4ae6 8 API calls 8237->8239 8238 2cb4ae6 8 API calls 8240 2cb5110 lstrcmpA 8238->8240 8241 2cb5138 8239->8241 8240->8237 8240->8242 8244 2cb516e 8241->8244 8245 2cb4ae6 8 API calls 8241->8245 8275 2cb513e 8241->8275 8242->8237 8242->8238 8243 2cb4ae6 8 API calls 8242->8243 8243->8242 8246 2cb4ae6 8 API calls 8244->8246 8244->8275 8247 2cb515e 8245->8247 8248 2cb51b6 8246->8248 8247->8244 8250 2cb4ae6 8 API calls 8247->8250 8276 2cb4a3d 8248->8276 8250->8244 8252 2cb4ae6 8 API calls 8253 2cb51c7 8252->8253 8254 2cb4ae6 8 API calls 8253->8254 8255 2cb51d7 8254->8255 8256 2cb4ae6 8 API calls 8255->8256 8257 2cb51e7 8256->8257 8258 2cb4ae6 8 API calls 8257->8258 8257->8275 8259 2cb5219 8258->8259 8260 2cb4ae6 8 API calls 8259->8260 8261 2cb5227 8260->8261 8262 2cb4ae6 8 API calls 8261->8262 8263 2cb524f lstrcpyA 8262->8263 8264 2cb4ae6 8 API calls 8263->8264 8267 2cb5263 8264->8267 8265 2cb4ae6 8 API calls 8266 2cb5315 8265->8266 8268 2cb4ae6 8 API calls 8266->8268 8267->8265 8269 2cb5323 8268->8269 8270 2cb4ae6 8 API calls 8269->8270 8272 2cb5331 8270->8272 8271 2cb4ae6 8 API calls 8271->8272 8272->8271 8273 2cb4ae6 8 API calls 8272->8273 8272->8275 8274 2cb5351 lstrcmpA 8273->8274 8274->8272 8274->8275 8275->8232 8277 2cb4a4a 8276->8277 8278 2cb4a53 8276->8278 8280 2cbebed 8 API calls 8277->8280 8279 2cb4a78 8278->8279 8281 2cbebed 8 API calls 8278->8281 8282 2cb4a8e 8279->8282 8283 2cb4aa3 8279->8283 8280->8278 8281->8279 8284 2cbec2e codecvt 4 API calls 8282->8284 8286 2cb4a9b 8282->8286 8285 2cbebed 8 API calls 8283->8285 8283->8286 8284->8286 8285->8286 8286->8252 8287 2cb4c0d 8288 2cb4ae6 8 API calls 8287->8288 8289 2cb4c17 8288->8289 8039 2cbf483 WSAStartup 8290 2cb5c05 IsBadWritePtr 8291 2cb5ca6 8290->8291 8292 2cb5c24 IsBadWritePtr 8290->8292 8292->8291 8293 2cb5c32 8292->8293 8294 2cb5c82 8293->8294 8296 2cb4bd1 4 API calls 8293->8296 8295 2cb4bd1 4 API calls 8294->8295 8297 2cb5c90 8295->8297 8296->8294 8298 2cb5472 18 API calls 8297->8298 8298->8291 8040 2cb5b84 IsBadWritePtr 8041 2cb5b99 8040->8041 8042 2cb5b9d 8040->8042 8043 2cb4bd1 4 API calls 8042->8043 8044 2cb5bcc 8043->8044 8045 2cb5472 18 API calls 8044->8045 8046 2cb5be5 8045->8046 8299 2cbf304 8302 2cbf26d setsockopt setsockopt setsockopt setsockopt setsockopt 8299->8302 8301 2cbf312 8302->8301 8095 2cb195b 8096 2cb196b 8095->8096 8097 2cb1971 8095->8097 8098 2cbec2e codecvt 4 API calls 8096->8098 8098->8097 8047 2cb5099 8048 2cb4bd1 4 API calls 8047->8048 8049 2cb50a2 8048->8049 8011 2cb4ed3 8016 2cb4c9a 8011->8016 8017 2cb4ca9 8016->8017 8019 2cb4cd8 8016->8019 8018 2cbec2e codecvt 4 API calls 8017->8018 8018->8019 8050 2cb5d93 IsBadWritePtr 8051 2cb5ddc 8050->8051 8053 2cb5da8 8050->8053 8053->8051 8054 2cb5389 8053->8054 8055 2cb4bd1 4 API calls 8054->8055 8056 2cb53a5 8055->8056 8057 2cb4ae6 8 API calls 8056->8057 8060 2cb53ad 8057->8060 8058 2cb5407 8058->8051 8059 2cb4ae6 8 API calls 8059->8060 8060->8058 8060->8059 8099 2cb5453 8104 2cb543a 8099->8104 8105 2cb5048 8 API calls 8104->8105 8106 2cb544b 8105->8106 8020 2cb43d2 8021 2cb43e0 8020->8021 8022 2cb43ef 8021->8022 8024 2cb1940 8021->8024 8025 2cbec2e codecvt 4 API calls 8024->8025 8026 2cb1949 8025->8026 8026->8022 8061 2cb4e92 GetTickCount 8062 2cb4ec0 InterlockedExchange 8061->8062 8063 2cb4ec9 8062->8063 8064 2cb4ead GetTickCount 8062->8064 8064->8063 8065 2cb4eb8 Sleep 8064->8065 8065->8062 8107 2cb8c51 8108 2cb8c5d 8107->8108 8109 2cb8c86 8107->8109 8112 2cb8c6e 8108->8112 8113 2cb8c7d 8108->8113 8110 2cb8c8b lstrcmpA 8109->8110 8118 2cb8c7b 8109->8118 8111 2cb8c9e 8110->8111 8110->8118 8114 2cb8cad 8111->8114 8117 2cbec2e codecvt 4 API calls 8111->8117 8121 2cb8be7 8112->8121 8129 2cb8bb3 8113->8129 8114->8118 8120 2cbebcc 4 API calls 8114->8120 8117->8114 8120->8118 8122 2cb8bf2 8121->8122 8128 2cb8c2a 8121->8128 8123 2cb8bb3 6 API calls 8122->8123 8124 2cb8bf8 8123->8124 8133 2cb6410 8124->8133 8126 2cb8c01 8126->8128 8148 2cb6246 8126->8148 8128->8118 8130 2cb8bbc 8129->8130 8132 2cb8be4 8129->8132 8131 2cb6246 6 API calls 8130->8131 8130->8132 8131->8132 8134 2cb641e 8133->8134 8135 2cb6421 8133->8135 8134->8126 8136 2cb643a 8135->8136 8137 2cb643e VirtualAlloc 8135->8137 8136->8126 8138 2cb645b VirtualAlloc 8137->8138 8139 2cb6472 8137->8139 8138->8139 8147 2cb64fb 8138->8147 8140 2cbebcc 4 API calls 8139->8140 8141 2cb6479 8140->8141 8141->8147 8158 2cb6069 8141->8158 8143 2cb64da 8146 2cb6246 6 API calls 8143->8146 8143->8147 8146->8147 8147->8126 8149 2cb62b3 8148->8149 8154 2cb6252 8148->8154 8149->8128 8150 2cb6297 8151 2cb62ad 8150->8151 8152 2cb62a0 VirtualFree 8150->8152 8156 2cbec2e codecvt 4 API calls 8151->8156 8152->8151 8153 2cb628f 8155 2cbec2e codecvt 4 API calls 8153->8155 8154->8150 8154->8153 8157 2cb6281 FreeLibrary 8154->8157 8155->8150 8156->8149 8157->8154 8159 2cb6090 IsBadReadPtr 8158->8159 8161 2cb6089 8158->8161 8159->8161 8165 2cb60aa 8159->8165 8160 2cb60c0 LoadLibraryA 8160->8161 8160->8165 8161->8143 8168 2cb5f3f 8161->8168 8162 2cbebcc 4 API calls 8162->8165 8163 2cbebed 8 API calls 8163->8165 8164 2cb6191 IsBadReadPtr 8164->8161 8164->8165 8165->8160 8165->8161 8165->8162 8165->8163 8165->8164 8166 2cb6141 GetProcAddress 8165->8166 8167 2cb6155 GetProcAddress 8165->8167 8166->8165 8167->8165 8169 2cb5fe6 8168->8169 8171 2cb5f61 8168->8171 8169->8143 8170 2cb5fbf VirtualProtect 8170->8169 8170->8171 8171->8169 8171->8170 8303 2cb6511 wsprintfA IsBadReadPtr 8304 2cb656a htonl htonl wsprintfA wsprintfA 8303->8304 8305 2cb674e 8303->8305 8306 2cb65f3 8304->8306 8307 2cbe318 23 API calls 8305->8307 8309 2cb668a GetCurrentProcess StackWalk64 8306->8309 8310 2cb66a0 wsprintfA 8306->8310 8312 2cb6652 wsprintfA 8306->8312 8308 2cb6753 ExitProcess 8307->8308 8309->8306 8309->8310 8311 2cb66ba 8310->8311 8313 2cb6712 wsprintfA 8311->8313 8315 2cb66da wsprintfA 8311->8315 8316 2cb66ed wsprintfA 8311->8316 8312->8306 8314 2cbe8a1 30 API calls 8313->8314 8317 2cb6739 8314->8317 8315->8316 8316->8311 8318 2cbe318 23 API calls 8317->8318 8319 2cb6741 8318->8319 8320 2cb8314 8321 2cb675c 21 API calls 8320->8321 8322 2cb8324 8321->8322 6239 2cb9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6355 2cbec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6239->6355 6241 2cb9a95 6242 2cb9aa3 GetModuleHandleA GetModuleFileNameA 6241->6242 6248 2cba3cc 6241->6248 6251 2cb9ac4 6242->6251 6243 2cba41c CreateThread WSAStartup 6356 2cbe52e 6243->6356 7430 2cb405e CreateEventA 6243->7430 6244 2cb9afd GetCommandLineA 6256 2cb9b22 6244->6256 6245 2cba406 DeleteFileA 6245->6248 6249 2cba40d 6245->6249 6247 2cba445 6375 2cbeaaf 6247->6375 6248->6243 6248->6245 6248->6249 6252 2cba3ed GetLastError 6248->6252 6249->6243 6251->6244 6252->6249 6254 2cba3f8 Sleep 6252->6254 6253 2cba44d 6379 2cb1d96 6253->6379 6254->6245 6259 2cb9c0c 6256->6259 6266 2cb9b47 6256->6266 6257 2cba457 6427 2cb80c9 6257->6427 6619 2cb96aa 6259->6619 6270 2cb9b96 lstrlenA 6266->6270 6272 2cb9b58 6266->6272 6267 2cb9c39 6271 2cba167 GetModuleHandleA GetModuleFileNameA 6267->6271 6625 2cb4280 CreateEventA 6267->6625 6268 2cba1d2 6274 2cba1e3 GetCommandLineA 6268->6274 6270->6272 6273 2cb9c05 ExitProcess 6271->6273 6276 2cba189 6271->6276 6272->6273 6578 2cb675c 6272->6578 6299 2cba205 6274->6299 6276->6273 6282 2cba1b2 GetDriveTypeA 6276->6282 6282->6273 6285 2cba1c5 6282->6285 6726 2cb9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6285->6726 6286 2cb675c 21 API calls 6288 2cb9c79 6286->6288 6288->6271 6295 2cb9e3e 6288->6295 6296 2cb9ca0 GetTempPathA 6288->6296 6289 2cb9bff 6289->6273 6291 2cba49f GetTickCount 6292 2cba491 6291->6292 6293 2cba4be Sleep 6291->6293 6292->6291 6292->6293 6298 2cba4b7 GetTickCount 6292->6298 6474 2cbc913 6292->6474 6293->6292 6302 2cb9e6b GetEnvironmentVariableA 6295->6302 6307 2cb9e04 6295->6307 6296->6295 6297 2cb9cba 6296->6297 6651 2cb99d2 lstrcpyA 6297->6651 6298->6293 6303 2cba285 lstrlenA 6299->6303 6306 2cba239 6299->6306 6302->6307 6308 2cb9e7d 6302->6308 6303->6306 6734 2cb6ec3 6306->6734 6721 2cbec2e 6307->6721 6309 2cb99d2 16 API calls 6308->6309 6310 2cb9e9d 6309->6310 6310->6307 6315 2cb9eb0 lstrcpyA lstrlenA 6310->6315 6313 2cb9d5f 6665 2cb6cc9 6313->6665 6314 2cba3c2 6738 2cb98f2 6314->6738 6317 2cb9ef4 6315->6317 6321 2cb6dc2 6 API calls 6317->6321 6324 2cb9f03 6317->6324 6319 2cb9d72 lstrcpyA lstrcatA lstrcatA 6323 2cb9cf6 6319->6323 6320 2cba3c7 6320->6248 6321->6324 6322 2cba39d StartServiceCtrlDispatcherA 6322->6314 6674 2cb9326 6323->6674 6325 2cb9f32 RegOpenKeyExA 6324->6325 6327 2cb9f48 RegSetValueExA RegCloseKey 6325->6327 6330 2cb9f70 6325->6330 6326 2cba35f 6326->6314 6326->6322 6327->6330 6335 2cb9f9d GetModuleHandleA GetModuleFileNameA 6330->6335 6331 2cb9dde GetFileAttributesExA 6332 2cb9e0c DeleteFileA 6331->6332 6333 2cb9df7 6331->6333 6332->6295 6333->6307 6711 2cb96ff 6333->6711 6337 2cba093 6335->6337 6338 2cb9fc2 6335->6338 6339 2cba103 CreateProcessA 6337->6339 6342 2cba0a4 wsprintfA 6337->6342 6338->6337 6344 2cb9ff1 GetDriveTypeA 6338->6344 6340 2cba13a 6339->6340 6341 2cba12a DeleteFileA 6339->6341 6340->6307 6347 2cb96ff 3 API calls 6340->6347 6341->6340 6717 2cb2544 6342->6717 6344->6337 6345 2cba00d 6344->6345 6349 2cba02d lstrcatA 6345->6349 6347->6307 6351 2cba046 6349->6351 6352 2cba052 lstrcatA 6351->6352 6353 2cba064 lstrcatA 6351->6353 6352->6353 6353->6337 6354 2cba081 lstrcatA 6353->6354 6354->6337 6355->6241 6745 2cbdd05 GetTickCount 6356->6745 6358 2cbe538 6753 2cbdbcf 6358->6753 6360 2cbe544 6361 2cbe555 GetFileSize 6360->6361 6366 2cbe5b8 6360->6366 6362 2cbe5b1 CloseHandle 6361->6362 6363 2cbe566 6361->6363 6362->6366 6777 2cbdb2e 6363->6777 6763 2cbe3ca RegOpenKeyExA 6366->6763 6367 2cbe576 ReadFile 6367->6362 6369 2cbe58d 6367->6369 6781 2cbe332 6369->6781 6371 2cbe5f2 6373 2cbe3ca 19 API calls 6371->6373 6374 2cbe629 6371->6374 6373->6374 6374->6247 6376 2cbeabe 6375->6376 6378 2cbeaba 6375->6378 6377 2cbdd05 6 API calls 6376->6377 6376->6378 6377->6378 6378->6253 6380 2cbee2a 6379->6380 6381 2cb1db4 GetVersionExA 6380->6381 6382 2cb1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6381->6382 6384 2cb1e16 GetCurrentProcess 6382->6384 6385 2cb1e24 6382->6385 6384->6385 6839 2cbe819 6385->6839 6387 2cb1e3d 6388 2cbe819 11 API calls 6387->6388 6389 2cb1e4e 6388->6389 6390 2cb1e77 6389->6390 6880 2cbdf70 6389->6880 6846 2cbea84 6390->6846 6393 2cb1e6c 6395 2cbdf70 12 API calls 6393->6395 6395->6390 6396 2cbe819 11 API calls 6397 2cb1e93 6396->6397 6850 2cb199c inet_addr LoadLibraryA 6397->6850 6400 2cbe819 11 API calls 6401 2cb1eb9 6400->6401 6402 2cb1ed8 6401->6402 6403 2cbf04e 4 API calls 6401->6403 6404 2cbe819 11 API calls 6402->6404 6405 2cb1ec9 6403->6405 6406 2cb1eee 6404->6406 6407 2cbea84 30 API calls 6405->6407 6414 2cb1f0a 6406->6414 6864 2cb1b71 6406->6864 6407->6402 6408 2cbe819 11 API calls 6413 2cb1f23 6408->6413 6410 2cb1efd 6411 2cbea84 30 API calls 6410->6411 6411->6414 6412 2cb1f3f 6416 2cbe819 11 API calls 6412->6416 6413->6412 6868 2cb1bdf 6413->6868 6414->6408 6418 2cb1f5e 6416->6418 6420 2cb1f77 6418->6420 6422 2cbea84 30 API calls 6418->6422 6419 2cbea84 30 API calls 6419->6412 6876 2cb30b5 6420->6876 6422->6420 6424 2cb6ec3 2 API calls 6426 2cb1f8e GetTickCount 6424->6426 6426->6257 6428 2cb6ec3 2 API calls 6427->6428 6429 2cb80eb 6428->6429 6430 2cb80f9 6429->6430 6431 2cb80ef 6429->6431 6947 2cb704c 6430->6947 6934 2cb7ee6 6431->6934 6434 2cb80f4 6435 2cb8269 CreateThread 6434->6435 6437 2cb675c 21 API calls 6434->6437 6453 2cb5e6c 6435->6453 7408 2cb877e 6435->7408 6436 2cb8110 6436->6434 6438 2cb8156 RegOpenKeyExA 6436->6438 6443 2cb8244 6437->6443 6439 2cb816d RegQueryValueExA 6438->6439 6440 2cb8216 6438->6440 6441 2cb818d 6439->6441 6442 2cb81f7 6439->6442 6440->6434 6441->6442 6447 2cbebcc 4 API calls 6441->6447 6444 2cb820d RegCloseKey 6442->6444 6446 2cbec2e codecvt 4 API calls 6442->6446 6443->6435 6445 2cbec2e codecvt 4 API calls 6443->6445 6444->6440 6445->6435 6452 2cb81dd 6446->6452 6448 2cb81a0 6447->6448 6448->6444 6449 2cb81aa RegQueryValueExA 6448->6449 6449->6442 6450 2cb81c4 6449->6450 6451 2cbebcc 4 API calls 6450->6451 6451->6452 6452->6444 7049 2cbec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6453->7049 6455 2cb5e71 7050 2cbe654 6455->7050 6457 2cb5ec1 6458 2cb3132 6457->6458 6459 2cbdf70 12 API calls 6458->6459 6460 2cb313b 6459->6460 6461 2cbc125 6460->6461 7061 2cbec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6461->7061 6463 2cbc12d 6464 2cbe654 13 API calls 6463->6464 6465 2cbc2bd 6464->6465 6466 2cbe654 13 API calls 6465->6466 6467 2cbc2c9 6466->6467 6468 2cbe654 13 API calls 6467->6468 6469 2cba47a 6468->6469 6470 2cb8db1 6469->6470 6471 2cb8dbc 6470->6471 6472 2cbe654 13 API calls 6471->6472 6473 2cb8dec Sleep 6472->6473 6473->6292 6475 2cbc92f 6474->6475 6476 2cbc93c 6475->6476 7073 2cbc517 6475->7073 6478 2cbca2b 6476->6478 6479 2cbe819 11 API calls 6476->6479 6478->6292 6480 2cbc96a 6479->6480 6481 2cbe819 11 API calls 6480->6481 6482 2cbc97d 6481->6482 6483 2cbe819 11 API calls 6482->6483 6484 2cbc990 6483->6484 6485 2cbc9aa 6484->6485 6486 2cbebcc 4 API calls 6484->6486 6485->6478 7062 2cb2684 6485->7062 6486->6485 6491 2cbca26 7090 2cbc8aa 6491->7090 6494 2cbca44 6495 2cbca4b closesocket 6494->6495 6496 2cbca83 6494->6496 6495->6491 6497 2cbea84 30 API calls 6496->6497 6498 2cbcaac 6497->6498 6499 2cbf04e 4 API calls 6498->6499 6500 2cbcab2 6499->6500 6501 2cbea84 30 API calls 6500->6501 6502 2cbcaca 6501->6502 6503 2cbea84 30 API calls 6502->6503 6504 2cbcad9 6503->6504 7094 2cbc65c 6504->7094 6507 2cbcb60 closesocket 6507->6478 6509 2cbdad2 closesocket 6510 2cbe318 23 API calls 6509->6510 6511 2cbdae0 6510->6511 6511->6478 6512 2cbdf4c 20 API calls 6538 2cbcb70 6512->6538 6518 2cbe654 13 API calls 6518->6538 6519 2cbf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6519->6538 6524 2cbea84 30 API calls 6524->6538 6525 2cbd569 closesocket Sleep 7141 2cbe318 6525->7141 6526 2cbd815 wsprintfA 6526->6538 6527 2cbcc1c GetTempPathA 6527->6538 6528 2cbc517 23 API calls 6528->6538 6530 2cb7ead 6 API calls 6530->6538 6531 2cbe8a1 30 API calls 6531->6538 6532 2cbd582 ExitProcess 6533 2cbc65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6533->6538 6534 2cbcfe3 GetSystemDirectoryA 6534->6538 6535 2cbcfad GetEnvironmentVariableA 6535->6538 6536 2cb675c 21 API calls 6536->6538 6537 2cbd027 GetSystemDirectoryA 6537->6538 6538->6509 6538->6512 6538->6518 6538->6519 6538->6524 6538->6525 6538->6526 6538->6527 6538->6528 6538->6530 6538->6531 6538->6533 6538->6534 6538->6535 6538->6536 6538->6537 6539 2cbd105 lstrcatA 6538->6539 6540 2cbef1e lstrlenA 6538->6540 6541 2cbcc9f CreateFileA 6538->6541 6542 2cbec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6538->6542 6544 2cb8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6538->6544 6545 2cbd15b CreateFileA 6538->6545 6550 2cbd149 SetFileAttributesA 6538->6550 6551 2cbd1bf SetFileAttributesA 6538->6551 6552 2cbd36e GetEnvironmentVariableA 6538->6552 6554 2cbd22d GetEnvironmentVariableA 6538->6554 6555 2cbd3af lstrcatA 6538->6555 6557 2cbd3f2 CreateFileA 6538->6557 6559 2cb7fcf 64 API calls 6538->6559 6565 2cbd3e0 SetFileAttributesA 6538->6565 6566 2cbd26e lstrcatA 6538->6566 6568 2cbd4b1 CreateProcessA 6538->6568 6569 2cbd2b1 CreateFileA 6538->6569 6571 2cb7ee6 64 API calls 6538->6571 6572 2cbd452 SetFileAttributesA 6538->6572 6575 2cbd29f SetFileAttributesA 6538->6575 6577 2cbd31d SetFileAttributesA 6538->6577 7102 2cbc75d 6538->7102 7114 2cb7e2f 6538->7114 7136 2cb7ead 6538->7136 7146 2cb31d0 6538->7146 7163 2cb3c09 6538->7163 7173 2cb3a00 6538->7173 7177 2cbe7b4 6538->7177 7180 2cbc06c 6538->7180 7186 2cb6f5f GetUserNameA 6538->7186 7197 2cbe854 6538->7197 7207 2cb7dd6 6538->7207 6539->6538 6540->6538 6541->6538 6543 2cbccc6 WriteFile 6541->6543 6542->6538 6546 2cbcced CloseHandle 6543->6546 6547 2cbcdcc CloseHandle 6543->6547 6544->6538 6545->6538 6548 2cbd182 WriteFile CloseHandle 6545->6548 6553 2cbcd2f 6546->6553 6547->6538 6548->6538 6549 2cbcd16 wsprintfA 6549->6553 6550->6545 6551->6538 6552->6538 6553->6549 7123 2cb7fcf 6553->7123 6554->6538 6555->6538 6555->6557 6557->6538 6560 2cbd415 WriteFile CloseHandle 6557->6560 6559->6538 6560->6538 6561 2cbcda5 6564 2cb7ee6 64 API calls 6561->6564 6562 2cbcd81 WaitForSingleObject CloseHandle CloseHandle 6563 2cbf04e 4 API calls 6562->6563 6563->6561 6567 2cbcdbd DeleteFileA 6564->6567 6565->6557 6566->6538 6566->6569 6567->6538 6568->6538 6570 2cbd4e8 CloseHandle CloseHandle 6568->6570 6569->6538 6573 2cbd2d8 WriteFile CloseHandle 6569->6573 6570->6538 6571->6538 6572->6538 6573->6538 6575->6569 6577->6538 6579 2cb677a SetFileAttributesA 6578->6579 6580 2cb6784 CreateFileA 6578->6580 6579->6580 6581 2cb67b5 6580->6581 6582 2cb67a4 CreateFileA 6580->6582 6583 2cb67ba SetFileAttributesA 6581->6583 6584 2cb67c5 6581->6584 6582->6581 6583->6584 6585 2cb67cf GetFileSize 6584->6585 6586 2cb6977 6584->6586 6587 2cb67e5 6585->6587 6605 2cb6965 6585->6605 6586->6273 6606 2cb6a60 CreateFileA 6586->6606 6588 2cb67ed ReadFile 6587->6588 6587->6605 6590 2cb6811 SetFilePointer 6588->6590 6588->6605 6589 2cb696e FindCloseChangeNotification 6589->6586 6591 2cb682a ReadFile 6590->6591 6590->6605 6592 2cb6848 SetFilePointer 6591->6592 6591->6605 6593 2cb6867 6592->6593 6592->6605 6594 2cb6878 ReadFile 6593->6594 6595 2cb68d5 6593->6595 6596 2cb6891 6594->6596 6600 2cb68d0 6594->6600 6595->6589 6597 2cbebcc 4 API calls 6595->6597 6596->6594 6596->6600 6598 2cb68f8 6597->6598 6599 2cb6900 SetFilePointer 6598->6599 6598->6605 6601 2cb695a 6599->6601 6602 2cb690d ReadFile 6599->6602 6600->6595 6604 2cbec2e codecvt 4 API calls 6601->6604 6602->6601 6603 2cb6922 6602->6603 6603->6589 6604->6605 6605->6589 6607 2cb6a8f GetDiskFreeSpaceA 6606->6607 6608 2cb6b8c GetLastError 6606->6608 6609 2cb6ac5 6607->6609 6618 2cb6ad7 6607->6618 6610 2cb6b86 6608->6610 7292 2cbeb0e 6609->7292 6610->6289 6614 2cb6b56 CloseHandle 6614->6610 6617 2cb6b65 GetLastError CloseHandle 6614->6617 6615 2cb6b36 GetLastError CloseHandle 6616 2cb6b7f DeleteFileA 6615->6616 6616->6610 6617->6616 7296 2cb6987 6618->7296 6620 2cb96b9 6619->6620 6621 2cb73ff 17 API calls 6620->6621 6622 2cb96e2 6621->6622 6623 2cb96f7 6622->6623 6624 2cb704c 16 API calls 6622->6624 6623->6267 6623->6268 6624->6623 6626 2cb429d 6625->6626 6627 2cb42a5 6625->6627 6626->6271 6626->6286 7302 2cb3ecd 6627->7302 6629 2cb42b0 7306 2cb4000 6629->7306 6631 2cb43c1 CloseHandle 6631->6626 6632 2cb42b6 6632->6626 6632->6631 7312 2cb3f18 WriteFile 6632->7312 6637 2cb43ba CloseHandle 6637->6631 6638 2cb4318 6639 2cb3f18 4 API calls 6638->6639 6640 2cb4331 6639->6640 6641 2cb3f18 4 API calls 6640->6641 6642 2cb434a 6641->6642 6643 2cbebcc 4 API calls 6642->6643 6644 2cb4350 6643->6644 6645 2cb3f18 4 API calls 6644->6645 6646 2cb4389 6645->6646 6647 2cbec2e codecvt 4 API calls 6646->6647 6648 2cb438f 6647->6648 6649 2cb3f8c 4 API calls 6648->6649 6650 2cb439f CloseHandle CloseHandle 6649->6650 6650->6626 6652 2cb99eb 6651->6652 6653 2cb9a2f lstrcatA 6652->6653 6654 2cbee2a 6653->6654 6655 2cb9a4b lstrcatA 6654->6655 6656 2cb6a60 13 API calls 6655->6656 6657 2cb9a60 6656->6657 6657->6295 6657->6323 6658 2cb6dc2 6657->6658 6659 2cb6e33 6658->6659 6660 2cb6dd7 6658->6660 6659->6313 6661 2cb6cc9 5 API calls 6660->6661 6662 2cb6ddc 6661->6662 6662->6662 6663 2cb6e02 GetVolumeInformationA 6662->6663 6664 2cb6e24 6662->6664 6663->6664 6664->6659 6666 2cb6d8b 6665->6666 6667 2cb6cdc GetModuleHandleA GetProcAddress 6665->6667 6666->6319 6668 2cb6cfd 6667->6668 6669 2cb6d12 GetSystemDirectoryA 6667->6669 6668->6666 6668->6669 6670 2cb6d1e 6669->6670 6671 2cb6d27 GetWindowsDirectoryA 6669->6671 6670->6666 6670->6671 6672 2cb6d42 6671->6672 6673 2cbef1e lstrlenA 6672->6673 6673->6666 7320 2cb1910 6674->7320 6677 2cb934a GetModuleHandleA GetModuleFileNameA 6679 2cb937f 6677->6679 6680 2cb93d9 6679->6680 6681 2cb93a4 6679->6681 6683 2cb9401 wsprintfA 6680->6683 6682 2cb93c3 wsprintfA 6681->6682 6684 2cb9415 6682->6684 6683->6684 6687 2cb6cc9 5 API calls 6684->6687 6708 2cb94a0 6684->6708 6685 2cb6edd 5 API calls 6686 2cb94ac 6685->6686 6688 2cb962f 6686->6688 6689 2cb94e8 RegOpenKeyExA 6686->6689 6693 2cb9439 6687->6693 6694 2cb9646 6688->6694 7335 2cb1820 6688->7335 6691 2cb94fb 6689->6691 6692 2cb9502 6689->6692 6691->6688 6696 2cb958a 6691->6696 6698 2cb951f RegQueryValueExA 6692->6698 6699 2cbef1e lstrlenA 6693->6699 6697 2cb95d6 6694->6697 7341 2cb91eb 6694->7341 6696->6694 6700 2cb9593 6696->6700 6697->6331 6697->6332 6701 2cb9539 6698->6701 6707 2cb9530 6698->6707 6702 2cb9462 6699->6702 6700->6697 7322 2cbf0e4 6700->7322 6704 2cb9556 RegQueryValueExA 6701->6704 6705 2cb947e wsprintfA 6702->6705 6703 2cb956e RegCloseKey 6703->6691 6704->6703 6704->6707 6705->6708 6707->6703 6708->6685 6709 2cb95bb 6709->6697 7329 2cb18e0 6709->7329 6712 2cb2544 6711->6712 6713 2cb972d RegOpenKeyExA 6712->6713 6714 2cb9740 6713->6714 6715 2cb9765 6713->6715 6716 2cb974f RegDeleteValueA RegCloseKey 6714->6716 6715->6307 6716->6715 6718 2cb2554 lstrcatA 6717->6718 6719 2cbee2a 6718->6719 6720 2cba0ec lstrcatA 6719->6720 6720->6339 6722 2cba15d 6721->6722 6723 2cbec37 6721->6723 6722->6271 6722->6273 6724 2cbeba0 codecvt 2 API calls 6723->6724 6725 2cbec3d GetProcessHeap RtlFreeHeap 6724->6725 6725->6722 6727 2cb2544 6726->6727 6728 2cb919e wsprintfA 6727->6728 6729 2cb91bb 6728->6729 7379 2cb9064 GetTempPathA 6729->7379 6732 2cb91e7 6732->6289 6733 2cb91d5 ShellExecuteA 6733->6732 6735 2cb6ed5 6734->6735 6736 2cb6ecc 6734->6736 6735->6326 6737 2cb6e36 2 API calls 6736->6737 6737->6735 6739 2cb98f6 6738->6739 6740 2cb4280 30 API calls 6739->6740 6741 2cb9904 Sleep 6739->6741 6742 2cb9915 6739->6742 6740->6739 6741->6739 6741->6742 6744 2cb9947 6742->6744 7386 2cb977c 6742->7386 6744->6320 6746 2cbdd41 InterlockedExchange 6745->6746 6747 2cbdd4a 6746->6747 6748 2cbdd20 GetCurrentThreadId 6746->6748 6749 2cbdd53 GetCurrentThreadId 6747->6749 6748->6749 6750 2cbdd2e GetTickCount 6748->6750 6749->6358 6751 2cbdd39 Sleep 6750->6751 6752 2cbdd4c 6750->6752 6751->6746 6752->6749 6754 2cbdbf0 6753->6754 6786 2cbdb67 GetEnvironmentVariableA 6754->6786 6756 2cbdc19 6757 2cbdcda 6756->6757 6758 2cbdb67 3 API calls 6756->6758 6757->6360 6759 2cbdc5c 6758->6759 6759->6757 6760 2cbdb67 3 API calls 6759->6760 6761 2cbdc9b 6760->6761 6761->6757 6762 2cbdb67 3 API calls 6761->6762 6762->6757 6764 2cbe528 6763->6764 6765 2cbe3f4 6763->6765 6764->6371 6766 2cbe434 RegQueryValueExA 6765->6766 6767 2cbe458 6766->6767 6768 2cbe51d RegCloseKey 6766->6768 6769 2cbe46e RegQueryValueExA 6767->6769 6768->6764 6769->6767 6770 2cbe488 6769->6770 6770->6768 6771 2cbdb2e 8 API calls 6770->6771 6772 2cbe499 6771->6772 6772->6768 6773 2cbe4b9 RegQueryValueExA 6772->6773 6774 2cbe4e8 6772->6774 6773->6772 6773->6774 6774->6768 6775 2cbe332 14 API calls 6774->6775 6776 2cbe513 6775->6776 6776->6768 6778 2cbdb3a 6777->6778 6779 2cbdb55 6777->6779 6790 2cbebed 6778->6790 6779->6362 6779->6367 6808 2cbf04e SystemTimeToFileTime GetSystemTimeAsFileTime 6781->6808 6783 2cbe3be 6783->6362 6785 2cbe342 6785->6783 6811 2cbde24 6785->6811 6787 2cbdbca 6786->6787 6788 2cbdb89 lstrcpyA CreateFileA 6786->6788 6787->6756 6788->6756 6791 2cbec01 6790->6791 6792 2cbebf6 6790->6792 6802 2cbeba0 6791->6802 6799 2cbebcc GetProcessHeap RtlAllocateHeap 6792->6799 6800 2cbeb74 2 API calls 6799->6800 6801 2cbebe8 6800->6801 6801->6779 6803 2cbebbf GetProcessHeap HeapReAlloc 6802->6803 6804 2cbeba7 GetProcessHeap HeapSize 6802->6804 6805 2cbeb74 6803->6805 6804->6803 6806 2cbeb7b GetProcessHeap HeapSize 6805->6806 6807 2cbeb93 6805->6807 6806->6807 6807->6779 6822 2cbeb41 6808->6822 6810 2cbf0b7 6810->6785 6812 2cbde3a 6811->6812 6818 2cbde4e 6812->6818 6831 2cbdd84 6812->6831 6815 2cbebed 8 API calls 6820 2cbdef6 6815->6820 6816 2cbde9e 6816->6815 6816->6818 6817 2cbde76 6835 2cbddcf 6817->6835 6818->6785 6820->6818 6821 2cbddcf lstrcmpA 6820->6821 6821->6818 6823 2cbeb4a 6822->6823 6824 2cbeb61 6822->6824 6827 2cbeae4 6823->6827 6824->6810 6826 2cbeb54 6826->6810 6826->6824 6828 2cbeaed LoadLibraryA 6827->6828 6829 2cbeb02 GetProcAddress 6827->6829 6828->6829 6830 2cbeb01 6828->6830 6829->6826 6830->6826 6832 2cbdd96 6831->6832 6833 2cbddc5 6831->6833 6832->6833 6834 2cbddad lstrcmpiA 6832->6834 6833->6816 6833->6817 6834->6832 6834->6833 6836 2cbde20 6835->6836 6838 2cbdddd 6835->6838 6836->6818 6837 2cbddfa lstrcmpA 6837->6838 6838->6836 6838->6837 6840 2cbdd05 6 API calls 6839->6840 6841 2cbe821 6840->6841 6842 2cbdd84 lstrcmpiA 6841->6842 6844 2cbe82c 6842->6844 6843 2cbe844 6843->6387 6844->6843 6889 2cb2480 6844->6889 6847 2cbea98 6846->6847 6898 2cbe8a1 6847->6898 6849 2cb1e84 6849->6396 6851 2cb19d5 GetProcAddress GetProcAddress GetProcAddress 6850->6851 6854 2cb19ce 6850->6854 6852 2cb1ab3 FreeLibrary 6851->6852 6853 2cb1a04 6851->6853 6852->6854 6853->6852 6855 2cb1a14 GetBestInterface GetProcessHeap 6853->6855 6854->6400 6855->6854 6856 2cb1a2e HeapAlloc 6855->6856 6856->6854 6857 2cb1a42 GetAdaptersInfo 6856->6857 6858 2cb1a62 6857->6858 6859 2cb1a52 HeapReAlloc 6857->6859 6860 2cb1a69 GetAdaptersInfo 6858->6860 6861 2cb1aa1 FreeLibrary 6858->6861 6859->6858 6860->6861 6862 2cb1a75 HeapFree 6860->6862 6861->6854 6862->6861 6926 2cb1ac3 LoadLibraryA 6864->6926 6867 2cb1bcf 6867->6410 6869 2cb1ac3 13 API calls 6868->6869 6870 2cb1c09 6869->6870 6871 2cb1c5a 6870->6871 6872 2cb1c0d GetComputerNameA 6870->6872 6871->6419 6873 2cb1c1f 6872->6873 6874 2cb1c45 GetVolumeInformationA 6872->6874 6873->6874 6875 2cb1c41 6873->6875 6874->6871 6875->6871 6877 2cbee2a 6876->6877 6878 2cb30d0 gethostname gethostbyname 6877->6878 6879 2cb1f82 6878->6879 6879->6424 6879->6426 6881 2cbdd05 6 API calls 6880->6881 6882 2cbdf7c 6881->6882 6883 2cbdd84 lstrcmpiA 6882->6883 6887 2cbdf89 6883->6887 6884 2cbdfc4 6884->6393 6885 2cbddcf lstrcmpA 6885->6887 6886 2cbec2e codecvt 4 API calls 6886->6887 6887->6884 6887->6885 6887->6886 6888 2cbdd84 lstrcmpiA 6887->6888 6888->6887 6892 2cb2419 lstrlenA 6889->6892 6891 2cb2491 6891->6843 6893 2cb243d lstrlenA 6892->6893 6894 2cb2474 6892->6894 6895 2cb244e lstrcmpiA 6893->6895 6896 2cb2464 lstrlenA 6893->6896 6894->6891 6895->6896 6897 2cb245c 6895->6897 6896->6893 6896->6894 6897->6894 6897->6896 6899 2cbdd05 6 API calls 6898->6899 6900 2cbe8b4 6899->6900 6901 2cbdd84 lstrcmpiA 6900->6901 6902 2cbe8c0 6901->6902 6903 2cbe8c8 lstrcpynA 6902->6903 6904 2cbe90a 6902->6904 6906 2cbe8f5 6903->6906 6905 2cb2419 4 API calls 6904->6905 6914 2cbea27 6904->6914 6907 2cbe926 lstrlenA lstrlenA 6905->6907 6919 2cbdf4c 6906->6919 6909 2cbe96a 6907->6909 6910 2cbe94c lstrlenA 6907->6910 6913 2cbebcc 4 API calls 6909->6913 6909->6914 6910->6909 6911 2cbe901 6912 2cbdd84 lstrcmpiA 6911->6912 6912->6904 6915 2cbe98f 6913->6915 6914->6849 6915->6914 6916 2cbdf4c 20 API calls 6915->6916 6917 2cbea1e 6916->6917 6918 2cbec2e codecvt 4 API calls 6917->6918 6918->6914 6920 2cbdd05 6 API calls 6919->6920 6921 2cbdf51 6920->6921 6922 2cbf04e 4 API calls 6921->6922 6923 2cbdf58 6922->6923 6924 2cbde24 10 API calls 6923->6924 6925 2cbdf63 6924->6925 6925->6911 6927 2cb1ae2 GetProcAddress 6926->6927 6933 2cb1b68 GetComputerNameA GetVolumeInformationA 6926->6933 6930 2cb1af5 6927->6930 6927->6933 6928 2cb1b1c GetAdaptersAddresses 6928->6930 6932 2cb1b29 6928->6932 6929 2cbebed 8 API calls 6929->6930 6930->6928 6930->6929 6930->6932 6931 2cbec2e codecvt 4 API calls 6931->6933 6932->6931 6932->6932 6932->6933 6933->6867 6935 2cb6ec3 2 API calls 6934->6935 6936 2cb7ef4 6935->6936 6946 2cb7fc9 6936->6946 6970 2cb73ff 6936->6970 6938 2cb7f16 6938->6946 6990 2cb7809 GetUserNameA 6938->6990 6940 2cb7f63 6940->6946 7014 2cbef1e lstrlenA 6940->7014 6943 2cbef1e lstrlenA 6944 2cb7fb7 6943->6944 7016 2cb7a95 RegOpenKeyExA 6944->7016 6946->6434 6948 2cb7073 6947->6948 6949 2cb70b9 RegOpenKeyExA 6948->6949 6950 2cb70d0 6949->6950 6964 2cb71b8 6949->6964 6951 2cb6dc2 6 API calls 6950->6951 6954 2cb70d5 6951->6954 6952 2cb719b RegEnumValueA 6953 2cb71af RegCloseKey 6952->6953 6952->6954 6953->6964 6954->6952 6956 2cb71d0 6954->6956 7047 2cbf1a5 lstrlenA 6954->7047 6957 2cb7205 RegCloseKey 6956->6957 6958 2cb7227 6956->6958 6957->6964 6959 2cb72b8 ___ascii_stricmp 6958->6959 6960 2cb728e RegCloseKey 6958->6960 6961 2cb72cd RegCloseKey 6959->6961 6962 2cb72dd 6959->6962 6960->6964 6961->6964 6963 2cb7311 RegCloseKey 6962->6963 6965 2cb7335 6962->6965 6963->6964 6964->6436 6966 2cb73d5 RegCloseKey 6965->6966 6968 2cb737e GetFileAttributesExA 6965->6968 6969 2cb7397 6965->6969 6967 2cb73e4 6966->6967 6968->6969 6969->6966 6971 2cb741b 6970->6971 6972 2cb6dc2 6 API calls 6971->6972 6973 2cb743f 6972->6973 6974 2cb7469 RegOpenKeyExA 6973->6974 6975 2cb77f9 6974->6975 6986 2cb7487 ___ascii_stricmp 6974->6986 6975->6938 6976 2cb7703 RegEnumKeyA 6977 2cb7714 RegCloseKey 6976->6977 6976->6986 6977->6975 6978 2cbf1a5 lstrlenA 6978->6986 6979 2cb74d2 RegOpenKeyExA 6979->6986 6980 2cb772c 6982 2cb774b 6980->6982 6983 2cb7742 RegCloseKey 6980->6983 6981 2cb7521 RegQueryValueExA 6981->6986 6984 2cb77ec RegCloseKey 6982->6984 6983->6982 6984->6975 6985 2cb76e4 RegCloseKey 6985->6986 6986->6976 6986->6978 6986->6979 6986->6980 6986->6981 6986->6985 6988 2cb777e GetFileAttributesExA 6986->6988 6989 2cb7769 6986->6989 6987 2cb77e3 RegCloseKey 6987->6984 6988->6989 6989->6987 6991 2cb7a8d 6990->6991 6992 2cb783d LookupAccountNameA 6990->6992 6991->6940 6992->6991 6993 2cb7874 GetLengthSid GetFileSecurityA 6992->6993 6993->6991 6994 2cb78a8 GetSecurityDescriptorOwner 6993->6994 6995 2cb791d GetSecurityDescriptorDacl 6994->6995 6996 2cb78c5 EqualSid 6994->6996 6995->6991 7012 2cb7941 6995->7012 6996->6995 6997 2cb78dc LocalAlloc 6996->6997 6997->6995 6998 2cb78ef InitializeSecurityDescriptor 6997->6998 6999 2cb78fb SetSecurityDescriptorOwner 6998->6999 7000 2cb7916 LocalFree 6998->7000 6999->7000 7002 2cb790b SetFileSecurityA 6999->7002 7000->6995 7001 2cb795b GetAce 7001->7012 7002->7000 7003 2cb7980 EqualSid 7003->7012 7004 2cb7a3d 7004->6991 7007 2cb7a43 LocalAlloc 7004->7007 7005 2cb79be EqualSid 7005->7012 7006 2cb799d DeleteAce 7006->7012 7007->6991 7008 2cb7a56 InitializeSecurityDescriptor 7007->7008 7009 2cb7a62 SetSecurityDescriptorDacl 7008->7009 7010 2cb7a86 LocalFree 7008->7010 7009->7010 7011 2cb7a73 SetFileSecurityA 7009->7011 7010->6991 7011->7010 7013 2cb7a83 7011->7013 7012->6991 7012->7001 7012->7003 7012->7004 7012->7005 7012->7006 7013->7010 7015 2cb7fa6 7014->7015 7015->6943 7017 2cb7acb GetUserNameA 7016->7017 7018 2cb7ac4 7016->7018 7019 2cb7aed LookupAccountNameA 7017->7019 7020 2cb7da7 RegCloseKey 7017->7020 7018->6946 7019->7020 7021 2cb7b24 RegGetKeySecurity 7019->7021 7020->7018 7021->7020 7022 2cb7b49 GetSecurityDescriptorOwner 7021->7022 7023 2cb7bb8 GetSecurityDescriptorDacl 7022->7023 7024 2cb7b63 EqualSid 7022->7024 7025 2cb7da6 7023->7025 7031 2cb7bdc 7023->7031 7024->7023 7026 2cb7b74 LocalAlloc 7024->7026 7025->7020 7026->7023 7027 2cb7b8a InitializeSecurityDescriptor 7026->7027 7029 2cb7bb1 LocalFree 7027->7029 7030 2cb7b96 SetSecurityDescriptorOwner 7027->7030 7028 2cb7bf8 GetAce 7028->7031 7029->7023 7030->7029 7032 2cb7ba6 RegSetKeySecurity 7030->7032 7031->7025 7031->7028 7033 2cb7c1d EqualSid 7031->7033 7034 2cb7c5f EqualSid 7031->7034 7035 2cb7cd9 7031->7035 7036 2cb7c3a DeleteAce 7031->7036 7032->7029 7033->7031 7034->7031 7035->7025 7037 2cb7d5a LocalAlloc 7035->7037 7039 2cb7cf2 RegOpenKeyExA 7035->7039 7036->7031 7037->7025 7038 2cb7d70 InitializeSecurityDescriptor 7037->7038 7040 2cb7d9f LocalFree 7038->7040 7041 2cb7d7c SetSecurityDescriptorDacl 7038->7041 7039->7037 7044 2cb7d0f 7039->7044 7040->7025 7041->7040 7042 2cb7d8c RegSetKeySecurity 7041->7042 7042->7040 7043 2cb7d9c 7042->7043 7043->7040 7045 2cb7d43 RegSetValueExA 7044->7045 7045->7037 7046 2cb7d54 7045->7046 7046->7037 7048 2cbf1c3 7047->7048 7048->6954 7049->6455 7051 2cbdd05 6 API calls 7050->7051 7052 2cbe65f 7051->7052 7053 2cbe6a5 7052->7053 7055 2cbe68c lstrcmpA 7052->7055 7054 2cbebcc 4 API calls 7053->7054 7059 2cbe6f5 7053->7059 7056 2cbe6b0 7054->7056 7055->7052 7057 2cbe6e0 lstrcpynA 7056->7057 7056->7059 7060 2cbe6b7 7056->7060 7057->7059 7058 2cbe71d lstrcmpA 7058->7059 7059->7058 7059->7060 7060->6457 7061->6463 7063 2cb2692 inet_addr 7062->7063 7065 2cb268e 7062->7065 7064 2cb269e gethostbyname 7063->7064 7063->7065 7064->7065 7066 2cbf428 7065->7066 7214 2cbf315 7066->7214 7069 2cbf43e 7070 2cbf473 recv 7069->7070 7071 2cbf458 7070->7071 7072 2cbf47c 7070->7072 7071->7070 7071->7072 7072->6494 7074 2cbc532 7073->7074 7075 2cbc525 7073->7075 7076 2cbc548 7074->7076 7227 2cbe7ff 7074->7227 7075->7074 7079 2cbec2e codecvt 4 API calls 7075->7079 7077 2cbc54f 7076->7077 7080 2cbe7ff lstrcmpiA 7076->7080 7077->6476 7079->7074 7081 2cbc615 7080->7081 7081->7077 7083 2cbebcc 4 API calls 7081->7083 7083->7077 7084 2cbc5d1 7085 2cbebcc 4 API calls 7084->7085 7085->7077 7086 2cbe819 11 API calls 7087 2cbc5b7 7086->7087 7088 2cbf04e 4 API calls 7087->7088 7089 2cbc5bf 7088->7089 7089->7076 7089->7084 7092 2cbc8d2 7090->7092 7091 2cbc907 7091->6478 7092->7091 7093 2cbc517 23 API calls 7092->7093 7093->7091 7095 2cbc670 7094->7095 7097 2cbc67d 7094->7097 7096 2cbebcc 4 API calls 7095->7096 7096->7097 7098 2cbebcc 4 API calls 7097->7098 7100 2cbc699 7097->7100 7098->7100 7099 2cbc6f3 7099->6507 7099->6538 7100->7099 7101 2cbc73c send 7100->7101 7101->7099 7103 2cbc77d 7102->7103 7104 2cbc770 7102->7104 7105 2cbc799 7103->7105 7107 2cbebcc 4 API calls 7103->7107 7106 2cbebcc 4 API calls 7104->7106 7108 2cbc7b5 7105->7108 7109 2cbebcc 4 API calls 7105->7109 7106->7103 7107->7105 7110 2cbf43e recv 7108->7110 7109->7108 7111 2cbc7cb 7110->7111 7112 2cbf43e recv 7111->7112 7113 2cbc7d3 7111->7113 7112->7113 7113->6538 7230 2cb7db7 7114->7230 7117 2cb7e70 7119 2cb7e96 7117->7119 7121 2cbf04e 4 API calls 7117->7121 7118 2cbf04e 4 API calls 7120 2cb7e4c 7118->7120 7119->6538 7120->7117 7122 2cbf04e 4 API calls 7120->7122 7121->7119 7122->7117 7124 2cb6ec3 2 API calls 7123->7124 7125 2cb7fdd 7124->7125 7126 2cb73ff 17 API calls 7125->7126 7135 2cb80c2 CreateProcessA 7125->7135 7127 2cb7fff 7126->7127 7128 2cb7809 21 API calls 7127->7128 7127->7135 7129 2cb804d 7128->7129 7130 2cbef1e lstrlenA 7129->7130 7129->7135 7131 2cb809e 7130->7131 7132 2cbef1e lstrlenA 7131->7132 7133 2cb80af 7132->7133 7134 2cb7a95 24 API calls 7133->7134 7134->7135 7135->6561 7135->6562 7137 2cb7db7 2 API calls 7136->7137 7138 2cb7eb8 7137->7138 7139 2cbf04e 4 API calls 7138->7139 7140 2cb7ece DeleteFileA 7139->7140 7140->6538 7142 2cbdd05 6 API calls 7141->7142 7143 2cbe31d 7142->7143 7234 2cbe177 7143->7234 7145 2cbe326 7145->6532 7147 2cb31f3 7146->7147 7157 2cb31ec 7146->7157 7148 2cbebcc 4 API calls 7147->7148 7162 2cb31fc 7148->7162 7149 2cb344b 7150 2cb3459 7149->7150 7151 2cb349d 7149->7151 7153 2cbf04e 4 API calls 7150->7153 7152 2cbec2e codecvt 4 API calls 7151->7152 7152->7157 7154 2cb345f 7153->7154 7156 2cb30fa 4 API calls 7154->7156 7155 2cbebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7155->7162 7156->7157 7157->6538 7158 2cb344d 7159 2cbec2e codecvt 4 API calls 7158->7159 7159->7149 7161 2cb3141 lstrcmpiA 7161->7162 7162->7149 7162->7155 7162->7157 7162->7158 7162->7161 7260 2cb30fa GetTickCount 7162->7260 7164 2cb30fa 4 API calls 7163->7164 7165 2cb3c1a 7164->7165 7169 2cb3ce6 7165->7169 7265 2cb3a72 7165->7265 7168 2cb3a72 9 API calls 7171 2cb3c5e 7168->7171 7169->6538 7170 2cb3a72 9 API calls 7170->7171 7171->7169 7171->7170 7172 2cbec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7171->7172 7172->7171 7174 2cb3a10 7173->7174 7175 2cb30fa 4 API calls 7174->7175 7176 2cb3a1a 7175->7176 7176->6538 7178 2cbdd05 6 API calls 7177->7178 7179 2cbe7be 7178->7179 7179->6538 7181 2cbc07e wsprintfA 7180->7181 7185 2cbc105 7180->7185 7274 2cbbfce GetTickCount wsprintfA 7181->7274 7183 2cbc0ef 7275 2cbbfce GetTickCount wsprintfA 7183->7275 7185->6538 7187 2cb6f88 LookupAccountNameA 7186->7187 7188 2cb7047 7186->7188 7190 2cb6fcb 7187->7190 7191 2cb7025 7187->7191 7188->6538 7193 2cb6fdb ConvertSidToStringSidA 7190->7193 7276 2cb6edd 7191->7276 7193->7191 7195 2cb6ff1 7193->7195 7196 2cb7013 LocalFree 7195->7196 7196->7191 7198 2cbdd05 6 API calls 7197->7198 7199 2cbe85c 7198->7199 7200 2cbdd84 lstrcmpiA 7199->7200 7201 2cbe867 7200->7201 7202 2cbe885 lstrcpyA 7201->7202 7287 2cb24a5 7201->7287 7290 2cbdd69 7202->7290 7208 2cb7db7 2 API calls 7207->7208 7209 2cb7de1 7208->7209 7210 2cb7e16 7209->7210 7211 2cbf04e 4 API calls 7209->7211 7210->6538 7212 2cb7df2 7211->7212 7212->7210 7213 2cbf04e 4 API calls 7212->7213 7213->7210 7215 2cbf33b 7214->7215 7216 2cbca1d 7214->7216 7217 2cbf347 htons socket 7215->7217 7216->6491 7216->7069 7218 2cbf382 ioctlsocket 7217->7218 7219 2cbf374 closesocket 7217->7219 7220 2cbf3aa connect select 7218->7220 7221 2cbf39d 7218->7221 7219->7216 7220->7216 7223 2cbf3f2 __WSAFDIsSet 7220->7223 7222 2cbf39f closesocket 7221->7222 7222->7216 7223->7222 7224 2cbf403 ioctlsocket 7223->7224 7226 2cbf26d setsockopt setsockopt setsockopt setsockopt setsockopt 7224->7226 7226->7216 7228 2cbdd84 lstrcmpiA 7227->7228 7229 2cbc58e 7228->7229 7229->7076 7229->7084 7229->7086 7231 2cb7dc8 InterlockedExchange 7230->7231 7232 2cb7dc0 Sleep 7231->7232 7233 2cb7dd4 7231->7233 7232->7231 7233->7117 7233->7118 7235 2cbe184 7234->7235 7236 2cbe2e4 7235->7236 7237 2cbe223 7235->7237 7250 2cbdfe2 7235->7250 7236->7145 7237->7236 7240 2cbdfe2 8 API calls 7237->7240 7239 2cbe1be 7239->7237 7241 2cbdbcf 3 API calls 7239->7241 7243 2cbe23c 7240->7243 7244 2cbe1d6 7241->7244 7242 2cbe21a CloseHandle 7242->7237 7243->7236 7254 2cbe095 RegCreateKeyExA 7243->7254 7244->7237 7244->7242 7245 2cbe1f9 WriteFile 7244->7245 7245->7242 7247 2cbe213 7245->7247 7247->7242 7248 2cbe2a3 7248->7236 7249 2cbe095 4 API calls 7248->7249 7249->7236 7251 2cbdffc 7250->7251 7253 2cbe024 7250->7253 7252 2cbdb2e 8 API calls 7251->7252 7251->7253 7252->7253 7253->7239 7255 2cbe172 7254->7255 7256 2cbe0c0 7254->7256 7255->7248 7257 2cbe13d 7256->7257 7259 2cbe115 RegSetValueExA 7256->7259 7258 2cbe14e RegDeleteValueA RegCloseKey 7257->7258 7258->7255 7259->7256 7259->7257 7261 2cb3122 InterlockedExchange 7260->7261 7262 2cb310f GetTickCount 7261->7262 7263 2cb312e 7261->7263 7262->7263 7264 2cb311a Sleep 7262->7264 7263->7162 7264->7261 7266 2cbf04e 4 API calls 7265->7266 7273 2cb3a83 7266->7273 7267 2cb3ac1 7267->7168 7267->7169 7268 2cb3be6 7269 2cbec2e codecvt 4 API calls 7268->7269 7269->7267 7270 2cb3bc0 7270->7268 7272 2cbec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7270->7272 7271 2cb3b66 lstrlenA 7271->7267 7271->7273 7272->7270 7273->7267 7273->7270 7273->7271 7274->7183 7275->7185 7277 2cb6eef AllocateAndInitializeSid 7276->7277 7278 2cb6f55 wsprintfA 7276->7278 7279 2cb6f1c CheckTokenMembership 7277->7279 7280 2cb6f44 7277->7280 7278->7188 7281 2cb6f3b FreeSid 7279->7281 7282 2cb6f2e 7279->7282 7280->7278 7284 2cb6e36 GetUserNameW 7280->7284 7281->7280 7282->7281 7285 2cb6e5f LookupAccountNameW 7284->7285 7286 2cb6e97 7284->7286 7285->7286 7286->7278 7288 2cb2419 4 API calls 7287->7288 7289 2cb24b6 7288->7289 7289->7202 7291 2cbdd79 lstrlenA 7290->7291 7291->6538 7293 2cbeb21 7292->7293 7294 2cbeb17 7292->7294 7293->6618 7295 2cbeae4 2 API calls 7294->7295 7295->7293 7297 2cb69b9 WriteFile 7296->7297 7299 2cb6a3c 7297->7299 7300 2cb69ff 7297->7300 7299->6614 7299->6615 7300->7299 7301 2cb6a10 WriteFile 7300->7301 7301->7299 7301->7300 7303 2cb3edc 7302->7303 7305 2cb3ee2 7302->7305 7304 2cb6dc2 6 API calls 7303->7304 7304->7305 7305->6629 7307 2cb400b CreateFileA 7306->7307 7308 2cb402c GetLastError 7307->7308 7309 2cb4052 7307->7309 7308->7309 7310 2cb4037 7308->7310 7309->6632 7310->7309 7311 2cb4041 Sleep 7310->7311 7311->7307 7311->7309 7313 2cb3f4e GetLastError 7312->7313 7314 2cb3f7c 7312->7314 7313->7314 7315 2cb3f5b WaitForSingleObject GetOverlappedResult 7313->7315 7316 2cb3f8c ReadFile 7314->7316 7315->7314 7317 2cb3fc2 GetLastError 7316->7317 7318 2cb3ff0 7316->7318 7317->7318 7319 2cb3fcf WaitForSingleObject GetOverlappedResult 7317->7319 7318->6637 7318->6638 7319->7318 7321 2cb1924 GetVersionExA 7320->7321 7321->6677 7323 2cbf0ed 7322->7323 7324 2cbf0f1 7322->7324 7323->6709 7325 2cbf0fa lstrlenA SysAllocStringByteLen 7324->7325 7326 2cbf119 7324->7326 7327 2cbf11c MultiByteToWideChar 7325->7327 7328 2cbf117 7325->7328 7326->7327 7327->7328 7328->6709 7330 2cb1820 17 API calls 7329->7330 7331 2cb18f2 7330->7331 7332 2cb18f9 7331->7332 7346 2cb1280 7331->7346 7332->6697 7334 2cb1908 7334->6697 7358 2cb1000 7335->7358 7337 2cb1839 7338 2cb183d 7337->7338 7339 2cb1851 GetCurrentProcess 7337->7339 7338->6694 7340 2cb1864 7339->7340 7340->6694 7342 2cb920e 7341->7342 7345 2cb9308 7341->7345 7343 2cb92f1 Sleep 7342->7343 7344 2cb92bf ShellExecuteA 7342->7344 7342->7345 7343->7342 7344->7342 7344->7345 7345->6697 7347 2cb12e1 7346->7347 7348 2cb16f9 GetLastError 7347->7348 7356 2cb13a8 7347->7356 7349 2cb1699 7348->7349 7349->7334 7350 2cb1570 lstrlenW 7350->7356 7351 2cb15be GetStartupInfoW 7351->7356 7352 2cb15ff CreateProcessWithLogonW 7353 2cb16bf GetLastError 7352->7353 7354 2cb163f WaitForSingleObject 7352->7354 7353->7349 7355 2cb1659 CloseHandle 7354->7355 7354->7356 7355->7356 7356->7349 7356->7350 7356->7351 7356->7352 7357 2cb1668 CloseHandle 7356->7357 7357->7356 7359 2cb100d LoadLibraryA 7358->7359 7374 2cb1023 7358->7374 7360 2cb1021 7359->7360 7359->7374 7360->7337 7361 2cb10b5 GetProcAddress 7362 2cb127b 7361->7362 7363 2cb10d1 GetProcAddress 7361->7363 7362->7337 7363->7362 7364 2cb10f0 GetProcAddress 7363->7364 7364->7362 7365 2cb1110 GetProcAddress 7364->7365 7365->7362 7366 2cb1130 GetProcAddress 7365->7366 7366->7362 7367 2cb114f GetProcAddress 7366->7367 7367->7362 7368 2cb116f GetProcAddress 7367->7368 7368->7362 7369 2cb118f GetProcAddress 7368->7369 7369->7362 7370 2cb11ae GetProcAddress 7369->7370 7370->7362 7371 2cb11ce GetProcAddress 7370->7371 7371->7362 7372 2cb11ee GetProcAddress 7371->7372 7372->7362 7373 2cb1209 GetProcAddress 7372->7373 7373->7362 7375 2cb1225 GetProcAddress 7373->7375 7374->7361 7378 2cb10ae 7374->7378 7375->7362 7376 2cb1241 GetProcAddress 7375->7376 7376->7362 7377 2cb125c GetProcAddress 7376->7377 7377->7362 7378->7337 7380 2cb908d 7379->7380 7381 2cb90e2 wsprintfA 7380->7381 7382 2cbee2a 7381->7382 7383 2cb90fd CreateFileA 7382->7383 7384 2cb911a lstrlenA WriteFile CloseHandle 7383->7384 7385 2cb913f 7383->7385 7384->7385 7385->6732 7385->6733 7387 2cbee2a 7386->7387 7388 2cb9794 CreateProcessA 7387->7388 7389 2cb97bb 7388->7389 7390 2cb97c2 7388->7390 7389->6744 7391 2cb97d4 GetThreadContext 7390->7391 7392 2cb9801 7391->7392 7393 2cb97f5 7391->7393 7400 2cb637c 7392->7400 7395 2cb97f6 TerminateProcess 7393->7395 7395->7389 7396 2cb9816 7396->7395 7397 2cb981e WriteProcessMemory 7396->7397 7397->7393 7398 2cb983b SetThreadContext 7397->7398 7398->7393 7399 2cb9858 ResumeThread 7398->7399 7399->7389 7401 2cb638a GetModuleHandleA VirtualAlloc 7400->7401 7402 2cb6386 7400->7402 7403 2cb63b6 7401->7403 7407 2cb63f5 7401->7407 7402->7396 7404 2cb63be VirtualAllocEx 7403->7404 7405 2cb63d6 7404->7405 7404->7407 7406 2cb63df WriteProcessMemory 7405->7406 7406->7407 7407->7396 7409 2cb8791 7408->7409 7410 2cb879f 7408->7410 7411 2cbf04e 4 API calls 7409->7411 7413 2cbf04e 4 API calls 7410->7413 7414 2cb87bc 7410->7414 7411->7410 7412 2cbe819 11 API calls 7415 2cb87d7 7412->7415 7413->7414 7414->7412 7428 2cb8803 7415->7428 7563 2cb26b2 gethostbyaddr 7415->7563 7418 2cb87eb 7420 2cbe8a1 30 API calls 7418->7420 7418->7428 7420->7428 7423 2cbf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7423->7428 7424 2cbe819 11 API calls 7424->7428 7425 2cb88a0 Sleep 7425->7428 7427 2cb26b2 2 API calls 7427->7428 7428->7423 7428->7424 7428->7425 7428->7427 7429 2cbe8a1 30 API calls 7428->7429 7460 2cb8cee 7428->7460 7468 2cbc4d6 7428->7468 7471 2cbc4e2 7428->7471 7474 2cb2011 7428->7474 7509 2cb8328 7428->7509 7429->7428 7431 2cb407d 7430->7431 7432 2cb4084 7430->7432 7433 2cb3ecd 6 API calls 7432->7433 7434 2cb408f 7433->7434 7435 2cb4000 3 API calls 7434->7435 7436 2cb4095 7435->7436 7437 2cb4130 7436->7437 7438 2cb40c0 7436->7438 7439 2cb3ecd 6 API calls 7437->7439 7443 2cb3f18 4 API calls 7438->7443 7440 2cb4159 CreateNamedPipeA 7439->7440 7441 2cb4188 ConnectNamedPipe 7440->7441 7442 2cb4167 Sleep 7440->7442 7446 2cb4195 GetLastError 7441->7446 7456 2cb41ab 7441->7456 7442->7437 7444 2cb4176 CloseHandle 7442->7444 7445 2cb40da 7443->7445 7444->7441 7447 2cb3f8c 4 API calls 7445->7447 7448 2cb425e DisconnectNamedPipe 7446->7448 7446->7456 7449 2cb40ec 7447->7449 7448->7441 7450 2cb4127 CloseHandle 7449->7450 7452 2cb4101 7449->7452 7450->7437 7451 2cb3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7451->7456 7453 2cb3f18 4 API calls 7452->7453 7454 2cb411c ExitProcess 7453->7454 7455 2cb3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7455->7456 7456->7441 7456->7448 7456->7451 7456->7455 7457 2cb426a CloseHandle CloseHandle 7456->7457 7458 2cbe318 23 API calls 7457->7458 7459 2cb427b 7458->7459 7459->7459 7461 2cb8dae 7460->7461 7462 2cb8d02 GetTickCount 7460->7462 7461->7428 7462->7461 7465 2cb8d19 7462->7465 7463 2cb8da1 GetTickCount 7463->7461 7465->7463 7467 2cb8d89 7465->7467 7568 2cba677 7465->7568 7571 2cba688 7465->7571 7467->7463 7579 2cbc2dc 7468->7579 7472 2cbc2dc 142 API calls 7471->7472 7473 2cbc4ec 7472->7473 7473->7428 7475 2cb2020 7474->7475 7476 2cb202e 7474->7476 7477 2cbf04e 4 API calls 7475->7477 7478 2cb204b 7476->7478 7479 2cbf04e 4 API calls 7476->7479 7477->7476 7480 2cb206e GetTickCount 7478->7480 7482 2cbf04e 4 API calls 7478->7482 7479->7478 7481 2cb20db GetTickCount 7480->7481 7493 2cb2090 7480->7493 7485 2cb2132 GetTickCount GetTickCount 7481->7485 7492 2cb20e7 7481->7492 7483 2cb2068 7482->7483 7483->7480 7484 2cb20d4 GetTickCount 7484->7481 7487 2cbf04e 4 API calls 7485->7487 7486 2cb212b GetTickCount 7486->7485 7489 2cb2159 7487->7489 7488 2cb2684 2 API calls 7488->7493 7491 2cb21b4 7489->7491 7495 2cbe854 13 API calls 7489->7495 7494 2cbf04e 4 API calls 7491->7494 7492->7486 7501 2cb1978 15 API calls 7492->7501 7502 2cb2125 7492->7502 7909 2cb2ef8 7492->7909 7493->7484 7493->7488 7499 2cb20ce 7493->7499 7919 2cb1978 7493->7919 7498 2cb21d1 7494->7498 7496 2cb218e 7495->7496 7500 2cbe819 11 API calls 7496->7500 7503 2cb21f2 7498->7503 7505 2cbea84 30 API calls 7498->7505 7499->7484 7504 2cb219c 7500->7504 7501->7492 7502->7486 7503->7428 7504->7491 7924 2cb1c5f 7504->7924 7506 2cb21ec 7505->7506 7507 2cbf04e 4 API calls 7506->7507 7507->7503 7510 2cb7dd6 6 API calls 7509->7510 7511 2cb833c 7510->7511 7512 2cb6ec3 2 API calls 7511->7512 7540 2cb8340 7511->7540 7513 2cb834f 7512->7513 7514 2cb835c 7513->7514 7517 2cb846b 7513->7517 7515 2cb73ff 17 API calls 7514->7515 7533 2cb8373 7515->7533 7516 2cb85df 7518 2cb8626 GetTempPathA 7516->7518 7530 2cb8768 7516->7530 7541 2cb8671 7516->7541 7520 2cb84a7 RegOpenKeyExA 7517->7520 7534 2cb8450 7517->7534 7531 2cb8638 7518->7531 7519 2cb675c 21 API calls 7519->7516 7522 2cb852f 7520->7522 7523 2cb84c0 RegQueryValueExA 7520->7523 7528 2cb8564 RegOpenKeyExA 7522->7528 7544 2cb85a5 7522->7544 7525 2cb84dd 7523->7525 7526 2cb8521 RegCloseKey 7523->7526 7524 2cb86ad 7527 2cb8762 7524->7527 7529 2cb7e2f 6 API calls 7524->7529 7525->7526 7535 2cbebcc 4 API calls 7525->7535 7526->7522 7527->7530 7532 2cb8573 RegSetValueExA RegCloseKey 7528->7532 7528->7544 7545 2cb86bb 7529->7545 7537 2cbec2e codecvt 4 API calls 7530->7537 7530->7540 7531->7541 7532->7544 7533->7534 7533->7540 7542 2cb83ea RegOpenKeyExA 7533->7542 7534->7516 7534->7519 7539 2cb84f0 7535->7539 7536 2cb875b DeleteFileA 7536->7527 7537->7540 7539->7526 7543 2cb84f8 RegQueryValueExA 7539->7543 7540->7428 7996 2cb6ba7 IsBadCodePtr 7541->7996 7542->7534 7546 2cb83fd RegQueryValueExA 7542->7546 7543->7526 7547 2cb8515 7543->7547 7544->7534 7548 2cbec2e codecvt 4 API calls 7544->7548 7545->7536 7549 2cb86e0 lstrcpyA lstrlenA 7545->7549 7550 2cb842d RegSetValueExA 7546->7550 7553 2cb841e 7546->7553 7551 2cbec2e codecvt 4 API calls 7547->7551 7548->7534 7552 2cb7fcf 64 API calls 7549->7552 7554 2cb8447 RegCloseKey 7550->7554 7555 2cb851d 7551->7555 7556 2cb8719 CreateProcessA 7552->7556 7553->7550 7553->7554 7554->7534 7555->7526 7557 2cb874f 7556->7557 7558 2cb873d CloseHandle CloseHandle 7556->7558 7559 2cb7ee6 64 API calls 7557->7559 7558->7530 7560 2cb8754 7559->7560 7561 2cb7ead 6 API calls 7560->7561 7562 2cb875a 7561->7562 7562->7536 7564 2cb26fb 7563->7564 7565 2cb26cd 7563->7565 7564->7418 7566 2cb26e1 inet_ntoa 7565->7566 7567 2cb26de 7565->7567 7566->7567 7567->7418 7574 2cba63d 7568->7574 7570 2cba685 7570->7465 7572 2cba63d GetTickCount 7571->7572 7573 2cba696 7572->7573 7573->7465 7575 2cba64d 7574->7575 7576 2cba645 7574->7576 7577 2cba65e GetTickCount 7575->7577 7578 2cba66e 7575->7578 7576->7570 7577->7578 7578->7570 7596 2cba4c7 GetTickCount 7579->7596 7582 2cbc300 GetTickCount 7585 2cbc337 7582->7585 7583 2cbc326 7584 2cbc32b GetTickCount 7583->7584 7583->7585 7584->7585 7589 2cbc47a 7585->7589 7590 2cbc363 GetTickCount 7585->7590 7586 2cbc4ab InterlockedIncrement CreateThread 7587 2cbc4d2 7586->7587 7588 2cbc4cb CloseHandle 7586->7588 7601 2cbb535 7586->7601 7587->7428 7588->7587 7589->7586 7589->7587 7590->7589 7591 2cbc373 7590->7591 7592 2cbc378 GetTickCount 7591->7592 7593 2cbc37f 7591->7593 7592->7593 7594 2cbc43b GetTickCount 7593->7594 7595 2cbc45e 7594->7595 7595->7589 7597 2cba4f7 InterlockedExchange 7596->7597 7598 2cba500 7597->7598 7599 2cba4e4 GetTickCount 7597->7599 7598->7582 7598->7583 7598->7589 7599->7598 7600 2cba4ef Sleep 7599->7600 7600->7597 7602 2cbb566 7601->7602 7603 2cbebcc 4 API calls 7602->7603 7604 2cbb587 7603->7604 7605 2cbebcc 4 API calls 7604->7605 7644 2cbb590 7605->7644 7606 2cbbdcd InterlockedDecrement 7607 2cbbde2 7606->7607 7609 2cbec2e codecvt 4 API calls 7607->7609 7610 2cbbdea 7609->7610 7612 2cbec2e codecvt 4 API calls 7610->7612 7611 2cbbdb7 Sleep 7611->7644 7613 2cbbdf2 7612->7613 7615 2cbbe05 7613->7615 7616 2cbec2e codecvt 4 API calls 7613->7616 7614 2cbbdcc 7614->7606 7616->7615 7617 2cbebed 8 API calls 7617->7644 7620 2cbb6b6 lstrlenA 7620->7644 7621 2cb30b5 2 API calls 7621->7644 7622 2cbe819 11 API calls 7622->7644 7623 2cbb6ed lstrcpyA 7676 2cb5ce1 7623->7676 7626 2cbb71f lstrcmpA 7627 2cbb731 lstrlenA 7626->7627 7626->7644 7627->7644 7628 2cbb772 GetTickCount 7628->7644 7629 2cbbd49 InterlockedIncrement 7770 2cba628 7629->7770 7632 2cbb7ce InterlockedIncrement 7686 2cbacd7 7632->7686 7633 2cbbc5b InterlockedIncrement 7633->7644 7636 2cbb912 GetTickCount 7636->7644 7637 2cbbcdc closesocket 7637->7644 7638 2cbb932 GetTickCount 7640 2cbbc6d InterlockedIncrement 7638->7640 7638->7644 7639 2cbb826 InterlockedIncrement 7639->7628 7640->7644 7641 2cb38f0 6 API calls 7641->7644 7643 2cbbba6 InterlockedIncrement 7643->7644 7644->7606 7644->7611 7644->7614 7644->7617 7644->7620 7644->7621 7644->7622 7644->7623 7644->7626 7644->7627 7644->7628 7644->7629 7644->7632 7644->7633 7644->7636 7644->7637 7644->7638 7644->7639 7644->7641 7644->7643 7647 2cba7c1 22 API calls 7644->7647 7648 2cbbc4c closesocket 7644->7648 7650 2cbba71 wsprintfA 7644->7650 7651 2cb5ded 12 API calls 7644->7651 7653 2cb5ce1 22 API calls 7644->7653 7655 2cbab81 lstrcpynA InterlockedIncrement 7644->7655 7656 2cbef1e lstrlenA 7644->7656 7657 2cba688 GetTickCount 7644->7657 7658 2cb3e10 7644->7658 7661 2cb3e4f 7644->7661 7664 2cb384f 7644->7664 7684 2cba7a3 inet_ntoa 7644->7684 7691 2cbabee 7644->7691 7703 2cb1feb GetTickCount 7644->7703 7724 2cb3cfb 7644->7724 7727 2cbb3c5 7644->7727 7758 2cbab81 7644->7758 7647->7644 7648->7644 7704 2cba7c1 7650->7704 7651->7644 7653->7644 7655->7644 7656->7644 7657->7644 7659 2cb30fa 4 API calls 7658->7659 7660 2cb3e1d 7659->7660 7660->7644 7662 2cb30fa 4 API calls 7661->7662 7663 2cb3e5c 7662->7663 7663->7644 7665 2cb30fa 4 API calls 7664->7665 7667 2cb3863 7665->7667 7666 2cb38b2 7666->7644 7667->7666 7668 2cb38b9 7667->7668 7669 2cb3889 7667->7669 7779 2cb35f9 7668->7779 7773 2cb3718 7669->7773 7674 2cb3718 6 API calls 7674->7666 7675 2cb35f9 6 API calls 7675->7666 7677 2cb5cec 7676->7677 7678 2cb5cf4 7676->7678 7785 2cb4bd1 GetTickCount 7677->7785 7680 2cb4bd1 4 API calls 7678->7680 7681 2cb5d02 7680->7681 7790 2cb5472 7681->7790 7685 2cba7b9 7684->7685 7685->7644 7687 2cbf315 14 API calls 7686->7687 7688 2cbaceb 7687->7688 7689 2cbacff 7688->7689 7690 2cbf315 14 API calls 7688->7690 7689->7644 7690->7689 7692 2cbabfb 7691->7692 7695 2cbac65 7692->7695 7853 2cb2f22 7692->7853 7694 2cbf315 14 API calls 7694->7695 7695->7694 7696 2cbac8a 7695->7696 7697 2cbac6f 7695->7697 7696->7644 7699 2cbab81 2 API calls 7697->7699 7698 2cbac23 7698->7695 7701 2cb2684 2 API calls 7698->7701 7700 2cbac81 7699->7700 7861 2cb38f0 7700->7861 7701->7698 7703->7644 7705 2cba7df 7704->7705 7706 2cba87d lstrlenA send 7704->7706 7705->7706 7713 2cba7fa wsprintfA 7705->7713 7715 2cba80a 7705->7715 7716 2cba8f2 7705->7716 7707 2cba899 7706->7707 7708 2cba8bf 7706->7708 7711 2cba8a5 wsprintfA 7707->7711 7717 2cba89e 7707->7717 7709 2cba8c4 send 7708->7709 7708->7716 7712 2cba8d8 wsprintfA 7709->7712 7709->7716 7710 2cba978 recv 7710->7716 7718 2cba982 7710->7718 7711->7717 7712->7717 7713->7715 7714 2cba9b0 wsprintfA 7714->7717 7715->7706 7716->7710 7716->7714 7716->7718 7717->7644 7718->7717 7719 2cb30b5 2 API calls 7718->7719 7720 2cbab05 7719->7720 7721 2cbe819 11 API calls 7720->7721 7722 2cbab17 7721->7722 7723 2cba7a3 inet_ntoa 7722->7723 7723->7717 7725 2cb30fa 4 API calls 7724->7725 7726 2cb3d0b 7725->7726 7726->7644 7728 2cb5ce1 22 API calls 7727->7728 7729 2cbb3e6 7728->7729 7730 2cb5ce1 22 API calls 7729->7730 7731 2cbb404 7730->7731 7732 2cbef7c 3 API calls 7731->7732 7738 2cbb440 7731->7738 7734 2cbb42b 7732->7734 7733 2cbef7c 3 API calls 7735 2cbb458 wsprintfA 7733->7735 7736 2cbef7c 3 API calls 7734->7736 7737 2cbef7c 3 API calls 7735->7737 7736->7738 7739 2cbb480 7737->7739 7738->7733 7740 2cbef7c 3 API calls 7739->7740 7741 2cbb493 7740->7741 7742 2cbef7c 3 API calls 7741->7742 7743 2cbb4bb 7742->7743 7877 2cbad89 GetLocalTime SystemTimeToFileTime 7743->7877 7747 2cbb4cc 7748 2cbef7c 3 API calls 7747->7748 7749 2cbb4dd 7748->7749 7750 2cbb211 7 API calls 7749->7750 7751 2cbb4ec 7750->7751 7752 2cbef7c 3 API calls 7751->7752 7753 2cbb4fd 7752->7753 7754 2cbb211 7 API calls 7753->7754 7755 2cbb509 7754->7755 7756 2cbef7c 3 API calls 7755->7756 7757 2cbb51a 7756->7757 7757->7644 7759 2cbab8c 7758->7759 7760 2cbabe9 GetTickCount 7758->7760 7759->7760 7761 2cbaba8 lstrcpynA 7759->7761 7762 2cbabe1 InterlockedIncrement 7759->7762 7763 2cba51d 7760->7763 7761->7759 7762->7759 7764 2cba4c7 4 API calls 7763->7764 7765 2cba52c 7764->7765 7766 2cba542 GetTickCount 7765->7766 7768 2cba539 GetTickCount 7765->7768 7766->7768 7769 2cba56c 7768->7769 7769->7644 7771 2cba4c7 4 API calls 7770->7771 7772 2cba633 7771->7772 7772->7644 7774 2cbf04e 4 API calls 7773->7774 7776 2cb372a 7774->7776 7775 2cb3847 7775->7666 7775->7674 7776->7775 7777 2cb37b3 GetCurrentThreadId 7776->7777 7777->7776 7778 2cb37c8 GetCurrentThreadId 7777->7778 7778->7776 7780 2cbf04e 4 API calls 7779->7780 7783 2cb360c 7780->7783 7781 2cb36f1 7781->7666 7781->7675 7782 2cb36da GetCurrentThreadId 7782->7781 7784 2cb36e5 GetCurrentThreadId 7782->7784 7783->7781 7783->7782 7784->7781 7786 2cb4bff InterlockedExchange 7785->7786 7787 2cb4c08 7786->7787 7788 2cb4bec GetTickCount 7786->7788 7787->7678 7788->7787 7789 2cb4bf7 Sleep 7788->7789 7789->7786 7809 2cb4763 7790->7809 7792 2cb548a 7793 2cb5b58 7792->7793 7800 2cb4ae6 8 API calls 7792->7800 7804 2cb558d lstrcpynA 7792->7804 7805 2cb5a9f lstrcpyA 7792->7805 7806 2cb5935 lstrcpynA 7792->7806 7807 2cb5472 13 API calls 7792->7807 7808 2cb58e7 lstrcpyA 7792->7808 7813 2cb4ae6 7792->7813 7817 2cbef7c lstrlenA lstrlenA lstrlenA 7792->7817 7819 2cb4699 7793->7819 7796 2cb4763 lstrlenA 7797 2cb5b6e 7796->7797 7840 2cb4f9f 7797->7840 7799 2cb5b79 7799->7644 7800->7792 7802 2cb5549 lstrlenA 7802->7792 7804->7792 7805->7792 7806->7792 7807->7792 7808->7792 7811 2cb477a 7809->7811 7810 2cb4859 7810->7792 7811->7810 7812 2cb480d lstrlenA 7811->7812 7812->7811 7814 2cb4af3 7813->7814 7816 2cb4b03 7813->7816 7815 2cbebed 8 API calls 7814->7815 7815->7816 7816->7802 7818 2cbefb4 7817->7818 7818->7792 7845 2cb45b3 7819->7845 7822 2cb45b3 7 API calls 7823 2cb46c6 7822->7823 7824 2cb45b3 7 API calls 7823->7824 7825 2cb46d8 7824->7825 7826 2cb45b3 7 API calls 7825->7826 7827 2cb46ea 7826->7827 7828 2cb45b3 7 API calls 7827->7828 7829 2cb46ff 7828->7829 7830 2cb45b3 7 API calls 7829->7830 7831 2cb4711 7830->7831 7832 2cb45b3 7 API calls 7831->7832 7833 2cb4723 7832->7833 7834 2cbef7c 3 API calls 7833->7834 7835 2cb4735 7834->7835 7836 2cbef7c 3 API calls 7835->7836 7837 2cb474a 7836->7837 7838 2cbef7c 3 API calls 7837->7838 7839 2cb475c 7838->7839 7839->7796 7841 2cb4fac 7840->7841 7844 2cb4fb0 7840->7844 7841->7799 7842 2cb4ffd 7842->7799 7843 2cb4fd5 IsBadCodePtr 7843->7844 7844->7842 7844->7843 7846 2cb45c8 7845->7846 7847 2cb45c1 7845->7847 7849 2cbebcc 4 API calls 7846->7849 7850 2cb45e1 7846->7850 7848 2cbebcc 4 API calls 7847->7848 7848->7846 7849->7850 7851 2cb4691 7850->7851 7852 2cbef7c 3 API calls 7850->7852 7851->7822 7852->7850 7868 2cb2d21 GetModuleHandleA 7853->7868 7856 2cb2fcf GetProcessHeap HeapFree 7860 2cb2f44 7856->7860 7857 2cb2f4f 7859 2cb2f6b GetProcessHeap HeapFree 7857->7859 7858 2cb2f85 7858->7856 7858->7858 7859->7860 7860->7698 7862 2cb3980 7861->7862 7863 2cb3900 7861->7863 7862->7696 7864 2cb30fa 4 API calls 7863->7864 7867 2cb390a 7864->7867 7865 2cb391b GetCurrentThreadId 7865->7867 7866 2cb3939 GetCurrentThreadId 7866->7867 7867->7862 7867->7865 7867->7866 7869 2cb2d5b GetProcAddress 7868->7869 7870 2cb2d46 LoadLibraryA 7868->7870 7871 2cb2d54 7869->7871 7872 2cb2d6b DnsQuery_A 7869->7872 7870->7869 7870->7871 7871->7857 7871->7858 7871->7860 7872->7871 7873 2cb2d7d 7872->7873 7873->7871 7874 2cb2d97 GetProcessHeap HeapAlloc 7873->7874 7874->7871 7876 2cb2dac 7874->7876 7875 2cb2db5 lstrcpynA 7875->7876 7876->7873 7876->7875 7878 2cbadbf 7877->7878 7902 2cbad08 gethostname 7878->7902 7881 2cb30b5 2 API calls 7882 2cbadd3 7881->7882 7883 2cba7a3 inet_ntoa 7882->7883 7884 2cbade4 7882->7884 7883->7884 7885 2cbae85 wsprintfA 7884->7885 7887 2cbae36 wsprintfA wsprintfA 7884->7887 7886 2cbef7c 3 API calls 7885->7886 7888 2cbaebb 7886->7888 7889 2cbef7c 3 API calls 7887->7889 7890 2cbef7c 3 API calls 7888->7890 7889->7884 7891 2cbaed2 7890->7891 7892 2cbb211 7891->7892 7893 2cbb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7892->7893 7894 2cbb2af GetLocalTime 7892->7894 7895 2cbb2d2 7893->7895 7894->7895 7896 2cbb2d9 SystemTimeToFileTime 7895->7896 7897 2cbb31c GetTimeZoneInformation 7895->7897 7898 2cbb2ec 7896->7898 7900 2cbb33a wsprintfA 7897->7900 7899 2cbb312 FileTimeToSystemTime 7898->7899 7899->7897 7900->7747 7903 2cbad71 7902->7903 7908 2cbad26 lstrlenA 7902->7908 7905 2cbad79 lstrcpyA 7903->7905 7906 2cbad85 7903->7906 7905->7906 7906->7881 7907 2cbad68 lstrlenA 7907->7903 7908->7903 7908->7907 7910 2cb2d21 7 API calls 7909->7910 7911 2cb2f01 7910->7911 7912 2cb2f06 7911->7912 7913 2cb2f14 7911->7913 7932 2cb2df2 GetModuleHandleA 7912->7932 7914 2cb2684 2 API calls 7913->7914 7917 2cb2f1d 7914->7917 7917->7492 7918 2cb2f1f 7918->7492 7920 2cbf428 14 API calls 7919->7920 7921 2cb198a 7920->7921 7922 2cb1998 7921->7922 7923 2cb1990 closesocket 7921->7923 7922->7493 7923->7922 7925 2cb1c80 7924->7925 7926 2cb1d1c 7925->7926 7927 2cb1cc2 wsprintfA 7925->7927 7931 2cb1d79 7925->7931 7926->7926 7929 2cb1d47 wsprintfA 7926->7929 7928 2cb2684 2 API calls 7927->7928 7928->7925 7930 2cb2684 2 API calls 7929->7930 7930->7931 7931->7491 7933 2cb2e0b 7932->7933 7934 2cb2e10 LoadLibraryA 7932->7934 7933->7934 7935 2cb2e17 7933->7935 7934->7935 7936 2cb2ef1 7935->7936 7937 2cb2e28 GetProcAddress 7935->7937 7936->7913 7936->7918 7937->7936 7938 2cb2e3e GetProcessHeap HeapAlloc 7937->7938 7939 2cb2e62 7938->7939 7939->7936 7940 2cb2ede GetProcessHeap HeapFree 7939->7940 7941 2cb2e7f htons inet_addr 7939->7941 7942 2cb2ea5 gethostbyname 7939->7942 7944 2cb2ceb 7939->7944 7940->7936 7941->7939 7941->7942 7942->7939 7945 2cb2cf2 7944->7945 7947 2cb2d1c 7945->7947 7948 2cb2d0e Sleep 7945->7948 7949 2cb2a62 GetProcessHeap HeapAlloc 7945->7949 7947->7939 7948->7945 7948->7947 7950 2cb2a99 socket 7949->7950 7951 2cb2a92 7949->7951 7952 2cb2cd3 GetProcessHeap HeapFree 7950->7952 7953 2cb2ab4 7950->7953 7951->7945 7952->7951 7953->7952 7967 2cb2abd 7953->7967 7954 2cb2adb htons 7969 2cb26ff 7954->7969 7956 2cb2b04 select 7956->7967 7957 2cb2ca4 7958 2cb2cb3 GetProcessHeap HeapFree closesocket 7957->7958 7958->7951 7959 2cb2b3f recv 7959->7967 7960 2cb2b66 htons 7960->7957 7960->7967 7961 2cb2b87 htons 7961->7957 7961->7967 7964 2cb2bf3 GetProcessHeap HeapAlloc 7964->7967 7965 2cb2c17 htons 7984 2cb2871 7965->7984 7967->7954 7967->7956 7967->7957 7967->7958 7967->7959 7967->7960 7967->7961 7967->7964 7967->7965 7968 2cb2c4d GetProcessHeap HeapFree 7967->7968 7976 2cb2923 7967->7976 7988 2cb2904 7967->7988 7968->7967 7970 2cb2717 7969->7970 7973 2cb271d 7969->7973 7971 2cbebcc 4 API calls 7970->7971 7971->7973 7972 2cb272b GetTickCount htons 7974 2cb27cc htons htons sendto 7972->7974 7975 2cb278a 7972->7975 7973->7972 7974->7967 7975->7974 7977 2cb2944 7976->7977 7978 2cb293d 7976->7978 7992 2cb2816 htons 7977->7992 7978->7967 7980 2cb2871 htons 7983 2cb2950 7980->7983 7981 2cb29bd htons htons htons 7981->7978 7982 2cb29f6 GetProcessHeap HeapAlloc 7981->7982 7982->7978 7982->7983 7983->7978 7983->7980 7983->7981 7985 2cb28e3 7984->7985 7986 2cb2889 7984->7986 7985->7967 7986->7985 7987 2cb28c3 htons 7986->7987 7987->7985 7987->7986 7989 2cb2908 7988->7989 7990 2cb2921 7988->7990 7991 2cb2909 GetProcessHeap HeapFree 7989->7991 7990->7967 7991->7990 7991->7991 7993 2cb286b 7992->7993 7994 2cb2836 7992->7994 7993->7983 7994->7993 7995 2cb285c htons 7994->7995 7995->7993 7995->7994 7997 2cb6bbc 7996->7997 7998 2cb6bc0 7996->7998 7997->7524 7999 2cb6bd4 7998->7999 8000 2cbebcc 4 API calls 7998->8000 7999->7524 8001 2cb6be4 8000->8001 8001->7999 8002 2cb6bfc 8001->8002 8003 2cb6c07 CreateFileA 8001->8003 8004 2cbec2e codecvt 4 API calls 8002->8004 8005 2cb6c2a 8003->8005 8006 2cb6c34 WriteFile 8003->8006 8004->7999 8007 2cbec2e codecvt 4 API calls 8005->8007 8008 2cb6c5a CloseHandle 8006->8008 8009 2cb6c49 CloseHandle DeleteFileA 8006->8009 8007->7999 8010 2cbec2e codecvt 4 API calls 8008->8010 8009->8005 8010->7999 8323 2cb5029 8328 2cb4a02 8323->8328 8329 2cb4a18 8328->8329 8330 2cb4a12 8328->8330 8331 2cb4a26 8329->8331 8333 2cbec2e codecvt 4 API calls 8329->8333 8332 2cbec2e codecvt 4 API calls 8330->8332 8334 2cb4a34 8331->8334 8335 2cbec2e codecvt 4 API calls 8331->8335 8332->8329 8333->8331 8335->8334 8172 2cb4861 IsBadWritePtr 8173 2cb4876 8172->8173 8174 2cb9961 RegisterServiceCtrlHandlerA 8175 2cb99cb 8174->8175 8176 2cb997d 8174->8176 8184 2cb9892 8176->8184 8178 2cb999a 8179 2cb99ba 8178->8179 8180 2cb9892 SetServiceStatus 8178->8180 8179->8175 8181 2cb9892 SetServiceStatus 8179->8181 8182 2cb99aa 8180->8182 8181->8175 8182->8179 8183 2cb98f2 41 API calls 8182->8183 8183->8179 8185 2cb98c2 SetServiceStatus 8184->8185 8185->8178 8336 2cb5e21 8337 2cb5e29 8336->8337 8338 2cb5e36 8336->8338 8339 2cb50dc 17 API calls 8337->8339 8339->8338 8187 2cb4960 8188 2cb496d 8187->8188 8190 2cb497d 8187->8190 8189 2cbebed 8 API calls 8188->8189 8189->8190 8066 2cb35a5 8067 2cb30fa 4 API calls 8066->8067 8069 2cb35b3 8067->8069 8068 2cb35ea 8069->8068 8073 2cb355d 8069->8073 8071 2cb35da 8071->8068 8072 2cb355d 4 API calls 8071->8072 8072->8068 8074 2cbf04e 4 API calls 8073->8074 8075 2cb356a 8074->8075 8075->8071 8340 2cbbe31 lstrcmpiA 8341 2cbbe55 lstrcmpiA 8340->8341 8347 2cbbe71 8340->8347 8342 2cbbe61 lstrcmpiA 8341->8342 8341->8347 8345 2cbbfc8 8342->8345 8342->8347 8343 2cbbf62 lstrcmpiA 8344 2cbbf77 lstrcmpiA 8343->8344 8348 2cbbf70 8343->8348 8346 2cbbf8c lstrcmpiA 8344->8346 8344->8348 8346->8348 8347->8343 8351 2cbebcc 4 API calls 8347->8351 8348->8345 8349 2cbbfc2 8348->8349 8350 2cbec2e codecvt 4 API calls 8348->8350 8352 2cbec2e codecvt 4 API calls 8349->8352 8350->8348 8355 2cbbeb6 8351->8355 8352->8345 8353 2cbebcc 4 API calls 8353->8355 8354 2cbbf5a 8354->8343 8355->8343 8355->8345 8355->8353 8355->8354 8356 2cb5d34 IsBadWritePtr 8357 2cb5d47 8356->8357 8358 2cb5d4a 8356->8358 8359 2cb5389 12 API calls 8358->8359 8360 2cb5d80 8359->8360

                                                                      Executed Functions

                                                                      Function 02CBC913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • closesocket.WS2_32(?), ref: 02CBCA4E
                                                                      • closesocket.WS2_32(?), ref: 02CBCB63
                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 02CBCC28
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02CBCCB4
                                                                      • WriteFile.KERNEL32(02CBA4B3,?,-000000E8,?,00000000), ref: 02CBCCDC
                                                                      • CloseHandle.KERNEL32(02CBA4B3), ref: 02CBCCED
                                                                      • wsprintfA.USER32 ref: 02CBCD21
                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02CBCD77
                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02CBCD89
                                                                      • CloseHandle.KERNEL32(?), ref: 02CBCD98
                                                                      • CloseHandle.KERNEL32(?), ref: 02CBCD9D
                                                                      • DeleteFileA.KERNEL32(?), ref: 02CBCDC4
                                                                      • CloseHandle.KERNEL32(02CBA4B3), ref: 02CBCDCC
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02CBCFB1
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02CBCFEF
                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02CBD033
                                                                      • lstrcatA.KERNEL32(?,04300108), ref: 02CBD10C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 02CBD155
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02CBD171
                                                                      • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000), ref: 02CBD195
                                                                      • CloseHandle.KERNEL32(00000000), ref: 02CBD19C
                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 02CBD1C8
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02CBD231
                                                                      • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02CBD27C
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02CBD2AB
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02CBD2C7
                                                                      • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02CBD2EB
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02CBD2F2
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02CBD326
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02CBD372
                                                                      • lstrcatA.KERNEL32(?,04300108,?,?,?,?,?,?,?,00000100), ref: 02CBD3BD
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02CBD3EC
                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02CBD408
                                                                      • WriteFile.KERNEL32(00000000,0430012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02CBD428
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02CBD42F
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02CBD45B
                                                                      • CreateProcessA.KERNEL32(?,02CC0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02CBD4DE
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02CBD4F4
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02CBD4FC
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02CBD513
                                                                      • closesocket.WS2_32(?), ref: 02CBD56C
                                                                      • Sleep.KERNEL32(000003E8), ref: 02CBD577
                                                                      • ExitProcess.KERNEL32 ref: 02CBD583
                                                                      • wsprintfA.USER32 ref: 02CBD81F
                                                                        • Part of subcall function 02CBC65C: send.WS2_32(00000000,?,00000000), ref: 02CBC74B
                                                                      • closesocket.WS2_32(?), ref: 02CBDAD5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                      • API String ID: 562065436-1520200621
                                                                      • Opcode ID: 41dcaa6fa5dfc202bd6d2e32e71ad948eca899f1ee92cdd6be750e8ab3113b4c
                                                                      • Instruction ID: 401d23fd977d41811e7ce09a8836fee2f505bc9de6f49426d84af0b5a3e695ec
                                                                      • Opcode Fuzzy Hash: 41dcaa6fa5dfc202bd6d2e32e71ad948eca899f1ee92cdd6be750e8ab3113b4c
                                                                      • Instruction Fuzzy Hash: 74B2E5B2D40248AFEB22AFA4DC48FEE7BBDEF44304F2445AAE546A3140D7309A55DF51
                                                                      Function 02CB9A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02CB9A7F
                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 02CB9A83
                                                                      • SetUnhandledExceptionFilter.KERNEL32(02CB6511), ref: 02CB9A8A
                                                                        • Part of subcall function 02CBEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02CBEC5E
                                                                        • Part of subcall function 02CBEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02CBEC72
                                                                        • Part of subcall function 02CBEC54: GetTickCount.KERNEL32 ref: 02CBEC78
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02CB9AB3
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02CB9ABA
                                                                      • GetCommandLineA.KERNEL32 ref: 02CB9AFD
                                                                      • lstrlenA.KERNEL32(?), ref: 02CB9B99
                                                                      • ExitProcess.KERNEL32 ref: 02CB9C06
                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 02CB9CAC
                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 02CB9D7A
                                                                      • lstrcatA.KERNEL32(?,?), ref: 02CB9D8B
                                                                      • lstrcatA.KERNEL32(?,02CC070C), ref: 02CB9D9D
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02CB9DED
                                                                      • DeleteFileA.KERNEL32(00000022), ref: 02CB9E38
                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02CB9E6F
                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02CB9EC8
                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02CB9ED5
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02CB9F3B
                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02CB9F5E
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02CB9F6A
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02CB9FAD
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02CB9FB4
                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02CB9FFE
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 02CBA038
                                                                      • lstrcatA.KERNEL32(00000022,02CC0A34), ref: 02CBA05E
                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 02CBA072
                                                                      • lstrcatA.KERNEL32(00000022,02CC0A34), ref: 02CBA08D
                                                                      • wsprintfA.USER32 ref: 02CBA0B6
                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 02CBA0DE
                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 02CBA0FD
                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02CBA120
                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02CBA131
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02CBA174
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02CBA17B
                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 02CBA1B6
                                                                      • GetCommandLineA.KERNEL32 ref: 02CBA1E5
                                                                        • Part of subcall function 02CB99D2: lstrcpyA.KERNEL32(?,?,00000100,02CC22F8,00000000,?,02CB9E9D,?,00000022,?,?,?,?,?,?,?), ref: 02CB99DF
                                                                        • Part of subcall function 02CB99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02CB9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02CB9A3C
                                                                        • Part of subcall function 02CB99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02CB9E9D,?,00000022,?,?,?), ref: 02CB9A52
                                                                      • lstrlenA.KERNEL32(?), ref: 02CBA288
                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02CBA3B7
                                                                      • GetLastError.KERNEL32 ref: 02CBA3ED
                                                                      • Sleep.KERNELBASE(000003E8), ref: 02CBA400
                                                                      • DeleteFileA.KERNELBASE(02CC33D8), ref: 02CBA407
                                                                      • CreateThread.KERNELBASE(00000000,00000000,02CB405E,00000000,00000000,00000000), ref: 02CBA42C
                                                                      • WSAStartup.WS2_32(00001010,?), ref: 02CBA43A
                                                                      • CreateThread.KERNELBASE(00000000,00000000,02CB877E,00000000,00000000,00000000), ref: 02CBA469
                                                                      • Sleep.KERNELBASE(00000BB8), ref: 02CBA48A
                                                                      • GetTickCount.KERNEL32 ref: 02CBA49F
                                                                      • GetTickCount.KERNEL32 ref: 02CBA4B7
                                                                      • Sleep.KERNELBASE(00001A90), ref: 02CBA4C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$D$P$\$djiglggs
                                                                      • API String ID: 2089075347-1203890814
                                                                      • Opcode ID: 4bee978c4814841bc4395cb7b89487013ef3eaaff7eacd7f792f6c1589f42e46
                                                                      • Instruction ID: 14f6a6221d2e71a74a82d9e85e13b232e45a11a1847a803b271e5958369fd0f3
                                                                      • Opcode Fuzzy Hash: 4bee978c4814841bc4395cb7b89487013ef3eaaff7eacd7f792f6c1589f42e46
                                                                      • Instruction Fuzzy Hash: AB5290B1C40299EFDB22DBA4CC49FEE7BBCAF44704F1445AAE609E2140E7709B449F61
                                                                      Function 02CB199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 905 2cb199c-2cb19cc inet_addr LoadLibraryA 906 2cb19ce-2cb19d0 905->906 907 2cb19d5-2cb19fe GetProcAddress * 3 905->907 908 2cb1abf-2cb1ac2 906->908 909 2cb1ab3-2cb1ab6 FreeLibrary 907->909 910 2cb1a04-2cb1a06 907->910 912 2cb1abc 909->912 910->909 911 2cb1a0c-2cb1a0e 910->911 911->909 913 2cb1a14-2cb1a28 GetBestInterface GetProcessHeap 911->913 914 2cb1abe 912->914 913->912 915 2cb1a2e-2cb1a40 HeapAlloc 913->915 914->908 915->912 916 2cb1a42-2cb1a50 GetAdaptersInfo 915->916 917 2cb1a62-2cb1a67 916->917 918 2cb1a52-2cb1a60 HeapReAlloc 916->918 919 2cb1a69-2cb1a73 GetAdaptersInfo 917->919 920 2cb1aa1-2cb1aad FreeLibrary 917->920 918->917 919->920 922 2cb1a75 919->922 920->912 921 2cb1aaf-2cb1ab1 920->921 921->914 923 2cb1a77-2cb1a80 922->923 924 2cb1a8a-2cb1a91 923->924 925 2cb1a82-2cb1a86 923->925 927 2cb1a93 924->927 928 2cb1a96-2cb1a9b HeapFree 924->928 925->923 926 2cb1a88 925->926 926->928 927->928 928->920
                                                                      APIs
                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 02CB19B1
                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02CB1E9E), ref: 02CB19BF
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02CB19E2
                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02CB19ED
                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02CB19F9
                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02CB1E9E), ref: 02CB1A1B
                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02CB1E9E), ref: 02CB1A1D
                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02CB1E9E), ref: 02CB1A36
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02CB1E9E,?,?,?,?,00000001,02CB1E9E), ref: 02CB1A4A
                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,02CB1E9E,?,?,?,?,00000001,02CB1E9E), ref: 02CB1A5A
                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,02CB1E9E,?,?,?,?,00000001,02CB1E9E), ref: 02CB1A6E
                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02CB1E9E), ref: 02CB1A9B
                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02CB1E9E), ref: 02CB1AA4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                      • API String ID: 293628436-270533642
                                                                      • Opcode ID: 624847db911dcfc396fdc72ea456349ece3a68d4f8718740b1aeacc93f37fe62
                                                                      • Instruction ID: d85e517c05a3fc745ca3dcd3422cf94e58d2dd49785634f95979104643e72530
                                                                      • Opcode Fuzzy Hash: 624847db911dcfc396fdc72ea456349ece3a68d4f8718740b1aeacc93f37fe62
                                                                      • Instruction Fuzzy Hash: 6A317271D80219EFDB129FE4CC989FEBBB9EF86605F280579E505A2110D7705B40CBA0
                                                                      Function 02CB7A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 696 2cb7a95-2cb7ac2 RegOpenKeyExA 697 2cb7acb-2cb7ae7 GetUserNameA 696->697 698 2cb7ac4-2cb7ac6 696->698 700 2cb7aed-2cb7b1e LookupAccountNameA 697->700 701 2cb7da7-2cb7db3 RegCloseKey 697->701 699 2cb7db4-2cb7db6 698->699 700->701 702 2cb7b24-2cb7b43 RegGetKeySecurity 700->702 701->699 702->701 703 2cb7b49-2cb7b61 GetSecurityDescriptorOwner 702->703 704 2cb7bb8-2cb7bd6 GetSecurityDescriptorDacl 703->704 705 2cb7b63-2cb7b72 EqualSid 703->705 706 2cb7bdc-2cb7be1 704->706 707 2cb7da6 704->707 705->704 708 2cb7b74-2cb7b88 LocalAlloc 705->708 706->707 709 2cb7be7-2cb7bf2 706->709 707->701 708->704 710 2cb7b8a-2cb7b94 InitializeSecurityDescriptor 708->710 709->707 711 2cb7bf8-2cb7c08 GetAce 709->711 712 2cb7bb1-2cb7bb2 LocalFree 710->712 713 2cb7b96-2cb7ba4 SetSecurityDescriptorOwner 710->713 714 2cb7c0e-2cb7c1b 711->714 715 2cb7cc6 711->715 712->704 713->712 716 2cb7ba6-2cb7bab RegSetKeySecurity 713->716 718 2cb7c4f-2cb7c52 714->718 719 2cb7c1d-2cb7c2f EqualSid 714->719 717 2cb7cc9-2cb7cd3 715->717 716->712 717->711 720 2cb7cd9-2cb7cdc 717->720 723 2cb7c5f-2cb7c71 EqualSid 718->723 724 2cb7c54-2cb7c5e 718->724 721 2cb7c31-2cb7c34 719->721 722 2cb7c36-2cb7c38 719->722 720->707 725 2cb7ce2-2cb7ce8 720->725 721->719 721->722 722->718 726 2cb7c3a-2cb7c4d DeleteAce 722->726 727 2cb7c73-2cb7c84 723->727 728 2cb7c86 723->728 724->723 729 2cb7d5a-2cb7d6e LocalAlloc 725->729 730 2cb7cea-2cb7cf0 725->730 726->717 731 2cb7c8b-2cb7c8e 727->731 728->731 729->707 734 2cb7d70-2cb7d7a InitializeSecurityDescriptor 729->734 730->729 735 2cb7cf2-2cb7d0d RegOpenKeyExA 730->735 732 2cb7c9d-2cb7c9f 731->732 733 2cb7c90-2cb7c96 731->733 736 2cb7ca1-2cb7ca5 732->736 737 2cb7ca7-2cb7cc3 732->737 733->732 738 2cb7d9f-2cb7da0 LocalFree 734->738 739 2cb7d7c-2cb7d8a SetSecurityDescriptorDacl 734->739 735->729 740 2cb7d0f-2cb7d16 735->740 736->715 736->737 737->715 738->707 739->738 741 2cb7d8c-2cb7d9a RegSetKeySecurity 739->741 742 2cb7d19-2cb7d1e 740->742 741->738 743 2cb7d9c 741->743 742->742 744 2cb7d20-2cb7d52 call 2cb2544 RegSetValueExA 742->744 743->738 744->729 747 2cb7d54 744->747 747->729
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02CB7ABA
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02CB7ADF
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,02CC070C,?,?,?), ref: 02CB7B16
                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02CB7B3B
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02CB7B59
                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 02CB7B6A
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02CB7B7E
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02CB7B8C
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02CB7B9C
                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02CB7BAB
                                                                      • LocalFree.KERNEL32(00000000), ref: 02CB7BB2
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,02CB7FC9,?,00000000), ref: 02CB7BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$D
                                                                      • API String ID: 2976863881-2485478636
                                                                      • Opcode ID: c40c4ecc1a3a40c266ea8becca6477525f18ae15383b379f9e5453fb26e1bfc1
                                                                      • Instruction ID: bb5206a15e77ceb9d113805e46fbd9c95661a32a55f9f1cc1355a492e5b57784
                                                                      • Opcode Fuzzy Hash: c40c4ecc1a3a40c266ea8becca6477525f18ae15383b379f9e5453fb26e1bfc1
                                                                      • Instruction Fuzzy Hash: C0A14C72D40219EBDF128FA4CC88FEEBBB9FF84745F144569E906E2140D7358A59CB60
                                                                      Function 02CB7809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 748 2cb7809-2cb7837 GetUserNameA 749 2cb7a8e-2cb7a94 748->749 750 2cb783d-2cb786e LookupAccountNameA 748->750 750->749 751 2cb7874-2cb78a2 GetLengthSid GetFileSecurityA 750->751 751->749 752 2cb78a8-2cb78c3 GetSecurityDescriptorOwner 751->752 753 2cb791d-2cb793b GetSecurityDescriptorDacl 752->753 754 2cb78c5-2cb78da EqualSid 752->754 756 2cb7a8d 753->756 757 2cb7941-2cb7946 753->757 754->753 755 2cb78dc-2cb78ed LocalAlloc 754->755 755->753 758 2cb78ef-2cb78f9 InitializeSecurityDescriptor 755->758 756->749 757->756 759 2cb794c-2cb7955 757->759 760 2cb78fb-2cb7909 SetSecurityDescriptorOwner 758->760 761 2cb7916-2cb7917 LocalFree 758->761 759->756 762 2cb795b-2cb796b GetAce 759->762 760->761 763 2cb790b-2cb7910 SetFileSecurityA 760->763 761->753 764 2cb7a2a 762->764 765 2cb7971-2cb797e 762->765 763->761 766 2cb7a2d-2cb7a37 764->766 767 2cb79ae-2cb79b1 765->767 768 2cb7980-2cb7992 EqualSid 765->768 766->762 771 2cb7a3d-2cb7a41 766->771 772 2cb79be-2cb79d0 EqualSid 767->772 773 2cb79b3-2cb79bd 767->773 769 2cb7999-2cb799b 768->769 770 2cb7994-2cb7997 768->770 769->767 774 2cb799d-2cb79ac DeleteAce 769->774 770->768 770->769 771->756 775 2cb7a43-2cb7a54 LocalAlloc 771->775 776 2cb79d2-2cb79e3 772->776 777 2cb79e5 772->777 773->772 774->766 775->756 778 2cb7a56-2cb7a60 InitializeSecurityDescriptor 775->778 779 2cb79ea-2cb79ed 776->779 777->779 780 2cb7a62-2cb7a71 SetSecurityDescriptorDacl 778->780 781 2cb7a86-2cb7a87 LocalFree 778->781 782 2cb79f8-2cb79fb 779->782 783 2cb79ef-2cb79f5 779->783 780->781 784 2cb7a73-2cb7a81 SetFileSecurityA 780->784 781->756 785 2cb79fd-2cb7a01 782->785 786 2cb7a03-2cb7a0e 782->786 783->782 784->781 787 2cb7a83 784->787 785->764 785->786 788 2cb7a19-2cb7a24 786->788 789 2cb7a10-2cb7a17 786->789 787->781 790 2cb7a27 788->790 789->790 790->764
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 02CB782F
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02CB7866
                                                                      • GetLengthSid.ADVAPI32(?), ref: 02CB7878
                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02CB789A
                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,02CB7F63,?), ref: 02CB78B8
                                                                      • EqualSid.ADVAPI32(?,02CB7F63), ref: 02CB78D2
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02CB78E3
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02CB78F1
                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02CB7901
                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02CB7910
                                                                      • LocalFree.KERNEL32(00000000), ref: 02CB7917
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02CB7933
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 02CB7963
                                                                      • EqualSid.ADVAPI32(?,02CB7F63), ref: 02CB798A
                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 02CB79A3
                                                                      • EqualSid.ADVAPI32(?,02CB7F63), ref: 02CB79C5
                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 02CB7A4A
                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02CB7A58
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02CB7A69
                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02CB7A79
                                                                      • LocalFree.KERNEL32(00000000), ref: 02CB7A87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                      • String ID: D
                                                                      • API String ID: 3722657555-2746444292
                                                                      • Opcode ID: 452d8b164e64d095d1d80f74ebce7046c05324a8d2a6bfcc4b731f0ec0f4ef20
                                                                      • Instruction ID: bfbd857cc69c3f753bf4f6cfb9b8c4b510e806dd0c384ac9cebc6c418aec34d3
                                                                      • Opcode Fuzzy Hash: 452d8b164e64d095d1d80f74ebce7046c05324a8d2a6bfcc4b731f0ec0f4ef20
                                                                      • Instruction Fuzzy Hash: ED815B72D40219EBDB22CFA4CD84FEEBBB8AF89345F14456AE905E2140D7349749CBA0
                                                                      Function 02CB8328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 791 2cb8328-2cb833e call 2cb7dd6 794 2cb8348-2cb8356 call 2cb6ec3 791->794 795 2cb8340-2cb8343 791->795 799 2cb846b-2cb8474 794->799 800 2cb835c-2cb8378 call 2cb73ff 794->800 796 2cb877b-2cb877d 795->796 802 2cb847a-2cb8480 799->802 803 2cb85c2-2cb85ce 799->803 811 2cb837e-2cb8384 800->811 812 2cb8464-2cb8466 800->812 802->803 804 2cb8486-2cb84ba call 2cb2544 RegOpenKeyExA 802->804 806 2cb85d0-2cb85da call 2cb675c 803->806 807 2cb8615-2cb8620 803->807 821 2cb8543-2cb8571 call 2cb2544 RegOpenKeyExA 804->821 822 2cb84c0-2cb84db RegQueryValueExA 804->822 814 2cb85df-2cb85eb 806->814 809 2cb86a7-2cb86b0 call 2cb6ba7 807->809 810 2cb8626-2cb864c GetTempPathA call 2cb8274 call 2cbeca5 807->810 830 2cb8762 809->830 831 2cb86b6-2cb86bd call 2cb7e2f 809->831 849 2cb864e-2cb866f call 2cbeca5 810->849 850 2cb8671-2cb86a4 call 2cb2544 call 2cbef00 call 2cbee2a 810->850 811->812 818 2cb838a-2cb838d 811->818 819 2cb8779-2cb877a 812->819 814->807 820 2cb85ed-2cb85ef 814->820 818->812 825 2cb8393-2cb8399 818->825 819->796 820->807 826 2cb85f1-2cb85fa 820->826 843 2cb8573-2cb857b 821->843 844 2cb85a5-2cb85b7 call 2cbee2a 821->844 828 2cb84dd-2cb84e1 822->828 829 2cb8521-2cb852d RegCloseKey 822->829 833 2cb839c-2cb83a1 825->833 826->807 834 2cb85fc-2cb860f call 2cb24c2 826->834 828->829 836 2cb84e3-2cb84e6 828->836 829->821 840 2cb852f-2cb8541 call 2cbeed1 829->840 838 2cb8768-2cb876b 830->838 862 2cb875b-2cb875c DeleteFileA 831->862 863 2cb86c3-2cb873b call 2cbee2a * 2 lstrcpyA lstrlenA call 2cb7fcf CreateProcessA 831->863 833->833 841 2cb83a3-2cb83af 833->841 834->807 834->838 836->829 845 2cb84e8-2cb84f6 call 2cbebcc 836->845 847 2cb876d-2cb8775 call 2cbec2e 838->847 848 2cb8776-2cb8778 838->848 840->821 840->844 852 2cb83b3-2cb83ba 841->852 853 2cb83b1 841->853 859 2cb857e-2cb8583 843->859 844->803 878 2cb85b9-2cb85c1 call 2cbec2e 844->878 845->829 877 2cb84f8-2cb8513 RegQueryValueExA 845->877 847->848 848->819 849->850 850->809 856 2cb8450-2cb845f call 2cbee2a 852->856 857 2cb83c0-2cb83fb call 2cb2544 RegOpenKeyExA 852->857 853->852 856->803 857->856 882 2cb83fd-2cb841c RegQueryValueExA 857->882 859->859 868 2cb8585-2cb859f RegSetValueExA RegCloseKey 859->868 862->830 899 2cb874f-2cb875a call 2cb7ee6 call 2cb7ead 863->899 900 2cb873d-2cb874d CloseHandle * 2 863->900 868->844 877->829 883 2cb8515-2cb851e call 2cbec2e 877->883 878->803 888 2cb841e-2cb8421 882->888 889 2cb842d-2cb8441 RegSetValueExA 882->889 883->829 888->889 894 2cb8423-2cb8426 888->894 895 2cb8447-2cb844a RegCloseKey 889->895 894->889 898 2cb8428-2cb842b 894->898 895->856 898->889 898->895 899->862 900->838
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02CB83F3
                                                                      • RegQueryValueExA.KERNELBASE(02CC0750,?,00000000,?,02CB8893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02CB8414
                                                                      • RegSetValueExA.KERNELBASE(02CC0750,?,00000000,00000004,02CB8893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02CB8441
                                                                      • RegCloseKey.ADVAPI32(02CC0750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 02CB844A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseOpenQuery
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe$localcfg
                                                                      • API String ID: 237177642-1464199976
                                                                      • Opcode ID: 67fd5228505ee12a72581335276086760899acdfe528f114b7f38e61d5a07c3a
                                                                      • Instruction ID: aab08783c7003d163566017b5393d10b8ac0ab3f0378aec85f2f8123200c5dc3
                                                                      • Opcode Fuzzy Hash: 67fd5228505ee12a72581335276086760899acdfe528f114b7f38e61d5a07c3a
                                                                      • Instruction Fuzzy Hash: 4FC171B2D80149FEEB12AFA4DC84EEE7BBDEF44704F244665F905A2040E7709B949F61
                                                                      Function 02CB1D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetVersionExA.KERNEL32 ref: 02CB1DC6
                                                                      • GetSystemInfo.KERNELBASE(?), ref: 02CB1DE8
                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02CB1E03
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02CB1E0A
                                                                      • GetCurrentProcess.KERNEL32(?), ref: 02CB1E1B
                                                                      • GetTickCount.KERNEL32 ref: 02CB1FC9
                                                                        • Part of subcall function 02CB1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02CB1C15
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                      • API String ID: 4207808166-1381319158
                                                                      • Opcode ID: 0ab8f4dbf566bf9200f4e44f825a2f9e0a77574c86ea3778bc5975535a015183
                                                                      • Instruction ID: 0489668755a40e24d9f60111f182a6a29c87b25845f72c3539e6d828e3454ea5
                                                                      • Opcode Fuzzy Hash: 0ab8f4dbf566bf9200f4e44f825a2f9e0a77574c86ea3778bc5975535a015183
                                                                      • Instruction Fuzzy Hash: 4B51E8B0944744AFE331AF758C89FA7BBECEF85748F48091DF54A82102D7B5A504CBA1
                                                                      Function 02CB73FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 999 2cb73ff-2cb7419 1000 2cb741b 999->1000 1001 2cb741d-2cb7422 999->1001 1000->1001 1002 2cb7426-2cb742b 1001->1002 1003 2cb7424 1001->1003 1004 2cb742d 1002->1004 1005 2cb7430-2cb7435 1002->1005 1003->1002 1004->1005 1006 2cb743a-2cb7481 call 2cb6dc2 call 2cb2544 RegOpenKeyExA 1005->1006 1007 2cb7437 1005->1007 1012 2cb77f9-2cb77fe call 2cbee2a 1006->1012 1013 2cb7487-2cb749d call 2cbee2a 1006->1013 1007->1006 1018 2cb7801 1012->1018 1019 2cb7703-2cb770e RegEnumKeyA 1013->1019 1020 2cb7804-2cb7808 1018->1020 1021 2cb74a2-2cb74b1 call 2cb6cad 1019->1021 1022 2cb7714-2cb771d RegCloseKey 1019->1022 1025 2cb76ed-2cb7700 1021->1025 1026 2cb74b7-2cb74cc call 2cbf1a5 1021->1026 1022->1018 1025->1019 1026->1025 1029 2cb74d2-2cb74f8 RegOpenKeyExA 1026->1029 1030 2cb74fe-2cb7530 call 2cb2544 RegQueryValueExA 1029->1030 1031 2cb7727-2cb772a 1029->1031 1030->1031 1038 2cb7536-2cb753c 1030->1038 1033 2cb772c-2cb7740 call 2cbef00 1031->1033 1034 2cb7755-2cb7764 call 2cbee2a 1031->1034 1042 2cb774b-2cb774e 1033->1042 1043 2cb7742-2cb7745 RegCloseKey 1033->1043 1044 2cb76df-2cb76e2 1034->1044 1041 2cb753f-2cb7544 1038->1041 1041->1041 1045 2cb7546-2cb754b 1041->1045 1046 2cb77ec-2cb77f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 2cb76e4-2cb76e7 RegCloseKey 1044->1047 1045->1034 1048 2cb7551-2cb756b call 2cbee95 1045->1048 1046->1020 1047->1025 1048->1034 1051 2cb7571-2cb7593 call 2cb2544 call 2cbee95 1048->1051 1056 2cb7599-2cb75a0 1051->1056 1057 2cb7753 1051->1057 1058 2cb75c8-2cb75d7 call 2cbed03 1056->1058 1059 2cb75a2-2cb75c6 call 2cbef00 call 2cbed03 1056->1059 1057->1034 1065 2cb75d8-2cb75da 1058->1065 1059->1065 1067 2cb75df-2cb7623 call 2cbee95 call 2cb2544 call 2cbee95 call 2cbee2a 1065->1067 1068 2cb75dc 1065->1068 1077 2cb7626-2cb762b 1067->1077 1068->1067 1077->1077 1078 2cb762d-2cb7634 1077->1078 1079 2cb7637-2cb763c 1078->1079 1079->1079 1080 2cb763e-2cb7642 1079->1080 1081 2cb765c-2cb7673 call 2cbed23 1080->1081 1082 2cb7644-2cb7656 call 2cbed77 1080->1082 1088 2cb7680 1081->1088 1089 2cb7675-2cb767e 1081->1089 1082->1081 1087 2cb7769-2cb777c call 2cbef00 1082->1087 1095 2cb77e3-2cb77e6 RegCloseKey 1087->1095 1091 2cb7683-2cb768e call 2cb6cad 1088->1091 1089->1091 1096 2cb7722-2cb7725 1091->1096 1097 2cb7694-2cb76bf call 2cbf1a5 call 2cb6c96 1091->1097 1095->1046 1098 2cb76dd 1096->1098 1103 2cb76d8 1097->1103 1104 2cb76c1-2cb76c7 1097->1104 1098->1044 1103->1098 1104->1103 1105 2cb76c9-2cb76d2 1104->1105 1105->1103 1106 2cb777e-2cb7797 GetFileAttributesExA 1105->1106 1107 2cb779a-2cb779f 1106->1107 1108 2cb7799 1106->1108 1109 2cb77a3-2cb77a8 1107->1109 1110 2cb77a1 1107->1110 1108->1107 1111 2cb77aa-2cb77c0 call 2cbee08 1109->1111 1112 2cb77c4-2cb77c8 1109->1112 1110->1109 1111->1112 1114 2cb77ca-2cb77d6 call 2cbef00 1112->1114 1115 2cb77d7-2cb77dc 1112->1115 1114->1115 1118 2cb77de 1115->1118 1119 2cb77e0-2cb77e2 1115->1119 1118->1119 1119->1095
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 02CB7472
                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 02CB74F0
                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 02CB7528
                                                                      • ___ascii_stricmp.LIBCMT ref: 02CB764D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 02CB76E7
                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02CB7706
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02CB7717
                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 02CB7745
                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02CB77EF
                                                                        • Part of subcall function 02CBF1A5: lstrlenA.KERNEL32(000000C8,000000E4,02CC22F8,000000C8,02CB7150,?), ref: 02CBF1AD
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02CB778F
                                                                      • RegCloseKey.KERNELBASE(?), ref: 02CB77E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                      • String ID: "
                                                                      • API String ID: 3433985886-123907689
                                                                      • Opcode ID: 51517919b90c4d82bc9712811147d2c364e221f5a5fb6e057cb685653936e8d1
                                                                      • Instruction ID: f7da85501f711f68ac6d2b0bc47e36bb2b7c846a5aea154fa4a8eafd1b400a5c
                                                                      • Opcode Fuzzy Hash: 51517919b90c4d82bc9712811147d2c364e221f5a5fb6e057cb685653936e8d1
                                                                      • Instruction Fuzzy Hash: 4FC18372900249AFEB139FA5DC48FEEBBBDEF85710F140495E904A6190EB71DA48DF60
                                                                      Function 02CB675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1121 2cb675c-2cb6778 1122 2cb677a-2cb677e SetFileAttributesA 1121->1122 1123 2cb6784-2cb67a2 CreateFileA 1121->1123 1122->1123 1124 2cb67b5-2cb67b8 1123->1124 1125 2cb67a4-2cb67b2 CreateFileA 1123->1125 1126 2cb67ba-2cb67bf SetFileAttributesA 1124->1126 1127 2cb67c5-2cb67c9 1124->1127 1125->1124 1126->1127 1128 2cb67cf-2cb67df GetFileSize 1127->1128 1129 2cb6977-2cb6986 1127->1129 1130 2cb696b 1128->1130 1131 2cb67e5-2cb67e7 1128->1131 1133 2cb696e-2cb6971 FindCloseChangeNotification 1130->1133 1131->1130 1132 2cb67ed-2cb680b ReadFile 1131->1132 1132->1130 1134 2cb6811-2cb6824 SetFilePointer 1132->1134 1133->1129 1134->1130 1135 2cb682a-2cb6842 ReadFile 1134->1135 1135->1130 1136 2cb6848-2cb6861 SetFilePointer 1135->1136 1136->1130 1137 2cb6867-2cb6876 1136->1137 1138 2cb6878-2cb688f ReadFile 1137->1138 1139 2cb68d5-2cb68df 1137->1139 1140 2cb68d2 1138->1140 1141 2cb6891-2cb689e 1138->1141 1139->1133 1142 2cb68e5-2cb68eb 1139->1142 1140->1139 1145 2cb68a0-2cb68b5 1141->1145 1146 2cb68b7-2cb68ba 1141->1146 1143 2cb68ed 1142->1143 1144 2cb68f0-2cb68fe call 2cbebcc 1142->1144 1143->1144 1144->1130 1152 2cb6900-2cb690b SetFilePointer 1144->1152 1148 2cb68bd-2cb68c3 1145->1148 1146->1148 1150 2cb68c8-2cb68ce 1148->1150 1151 2cb68c5 1148->1151 1150->1138 1153 2cb68d0 1150->1153 1151->1150 1154 2cb695a-2cb6969 call 2cbec2e 1152->1154 1155 2cb690d-2cb6920 ReadFile 1152->1155 1153->1139 1154->1133 1155->1154 1156 2cb6922-2cb6958 1155->1156 1156->1133
                                                                      APIs
                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 02CB677E
                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 02CB679A
                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 02CB67B0
                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 02CB67BF
                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 02CB67D3
                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,02CB8244,00000000,?,75920F10,00000000), ref: 02CB6807
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02CB681F
                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 02CB683E
                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02CB685C
                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,02CB8244,00000000,?,75920F10,00000000), ref: 02CB688B
                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 02CB6906
                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,02CB8244,00000000,?,75920F10,00000000), ref: 02CB691C
                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 02CB6971
                                                                        • Part of subcall function 02CBEC2E: GetProcessHeap.KERNEL32(00000000,02CBEA27,00000000,02CBEA27,00000000), ref: 02CBEC41
                                                                        • Part of subcall function 02CBEC2E: RtlFreeHeap.NTDLL(00000000), ref: 02CBEC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                      • String ID:
                                                                      • API String ID: 1400801100-0
                                                                      • Opcode ID: 391e60646622d07998bf1afeef2a449ff7edec4723e05492cb0a575f0ef014af
                                                                      • Instruction ID: 9fc334a20d737c84cf3392172ec63d57f46f7ab196703426474e47e60fd60361
                                                                      • Opcode Fuzzy Hash: 391e60646622d07998bf1afeef2a449ff7edec4723e05492cb0a575f0ef014af
                                                                      • Instruction Fuzzy Hash: 1F71F871D00219EFDF168FA5CC80AEEBBB9FF48314F20456AE515A6290E7319E52DF60
                                                                      Function 02CBF315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1159 2cbf315-2cbf332 1160 2cbf33b-2cbf372 call 2cbee2a htons socket 1159->1160 1161 2cbf334-2cbf336 1159->1161 1165 2cbf382-2cbf39b ioctlsocket 1160->1165 1166 2cbf374-2cbf37d closesocket 1160->1166 1162 2cbf424-2cbf427 1161->1162 1167 2cbf3aa-2cbf3f0 connect select 1165->1167 1168 2cbf39d 1165->1168 1166->1162 1170 2cbf3f2-2cbf401 __WSAFDIsSet 1167->1170 1171 2cbf421 1167->1171 1169 2cbf39f-2cbf3a8 closesocket 1168->1169 1172 2cbf423 1169->1172 1170->1169 1173 2cbf403-2cbf416 ioctlsocket call 2cbf26d 1170->1173 1171->1172 1172->1162 1175 2cbf41b-2cbf41f 1173->1175 1175->1172
                                                                      APIs
                                                                      • htons.WS2_32(02CBCA1D), ref: 02CBF34D
                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 02CBF367
                                                                      • closesocket.WS2_32(00000000), ref: 02CBF375
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesockethtonssocket
                                                                      • String ID: time_cfg
                                                                      • API String ID: 311057483-2401304539
                                                                      • Opcode ID: b365b9a87e2643c5a161c6a5d30e6bd0c5154e02a3030ebf905066a3a0caf457
                                                                      • Instruction ID: 8afe967b29ecaee55da4171effbdd27d50e27c3f0716f232bfc6103e73c09a77
                                                                      • Opcode Fuzzy Hash: b365b9a87e2643c5a161c6a5d30e6bd0c5154e02a3030ebf905066a3a0caf457
                                                                      • Instruction Fuzzy Hash: AC315E72940118ABDB11DFA5DC84AEEBBBCFF89314F10456AF915D3240E7709A518FA0
                                                                      Function 02CB405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1176 2cb405e-2cb407b CreateEventA 1177 2cb407d-2cb4081 1176->1177 1178 2cb4084-2cb40a8 call 2cb3ecd call 2cb4000 1176->1178 1183 2cb40ae-2cb40be call 2cbee2a 1178->1183 1184 2cb4130-2cb413e call 2cbee2a 1178->1184 1183->1184 1190 2cb40c0-2cb40f1 call 2cbeca5 call 2cb3f18 call 2cb3f8c 1183->1190 1189 2cb413f-2cb4165 call 2cb3ecd CreateNamedPipeA 1184->1189 1195 2cb4188-2cb4193 ConnectNamedPipe 1189->1195 1196 2cb4167-2cb4174 Sleep 1189->1196 1208 2cb40f3-2cb40ff 1190->1208 1209 2cb4127-2cb412a CloseHandle 1190->1209 1200 2cb41ab-2cb41c0 call 2cb3f8c 1195->1200 1201 2cb4195-2cb41a5 GetLastError 1195->1201 1196->1189 1198 2cb4176-2cb4182 CloseHandle 1196->1198 1198->1195 1200->1195 1207 2cb41c2-2cb41f2 call 2cb3f18 call 2cb3f8c 1200->1207 1201->1200 1203 2cb425e-2cb4265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1203 1217 2cb41f4-2cb4200 1207->1217 1208->1209 1211 2cb4101-2cb4121 call 2cb3f18 ExitProcess 1208->1211 1209->1184 1217->1203 1218 2cb4202-2cb4215 call 2cb3f8c 1217->1218 1218->1203 1221 2cb4217-2cb421b 1218->1221 1221->1203 1222 2cb421d-2cb4230 call 2cb3f8c 1221->1222 1222->1203 1225 2cb4232-2cb4236 1222->1225 1225->1195 1226 2cb423c-2cb4251 call 2cb3f18 1225->1226 1229 2cb426a-2cb4276 CloseHandle * 2 call 2cbe318 1226->1229 1230 2cb4253-2cb4259 1226->1230 1232 2cb427b 1229->1232 1230->1195 1232->1232
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02CB4070
                                                                      • ExitProcess.KERNEL32 ref: 02CB4121
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEventExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2404124870-0
                                                                      • Opcode ID: e1ef1fb60c88e8501a7fb835a186b5b0bc9138d12ae757897fa0899dd4655edc
                                                                      • Instruction ID: c15a4b2773a72ea1ad43db83eaacc5549746c143a89e49a95b93ee0c64d6fe8d
                                                                      • Opcode Fuzzy Hash: e1ef1fb60c88e8501a7fb835a186b5b0bc9138d12ae757897fa0899dd4655edc
                                                                      • Instruction Fuzzy Hash: CE51AEB1D44218FAEB22AAA08C85FFF7B7DEF50715F1001A5FA10B6181E7318A01DBA1
                                                                      Function 02CB2D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1233 2cb2d21-2cb2d44 GetModuleHandleA 1234 2cb2d5b-2cb2d69 GetProcAddress 1233->1234 1235 2cb2d46-2cb2d52 LoadLibraryA 1233->1235 1236 2cb2d54-2cb2d56 1234->1236 1237 2cb2d6b-2cb2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 2cb2dee-2cb2df1 1236->1238 1237->1236 1239 2cb2d7d-2cb2d88 1237->1239 1240 2cb2deb 1239->1240 1241 2cb2d8a-2cb2d8b 1239->1241 1240->1238 1242 2cb2d90-2cb2d95 1241->1242 1243 2cb2de2-2cb2de8 1242->1243 1244 2cb2d97-2cb2daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2cb2dea 1243->1245 1244->1245 1246 2cb2dac-2cb2dd9 call 2cbee2a lstrcpynA 1244->1246 1245->1240 1249 2cb2ddb-2cb2dde 1246->1249 1250 2cb2de0 1246->1250 1249->1243 1250->1243
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02CB2F01,?,02CB20FF,02CC2000), ref: 02CB2D3A
                                                                      • LoadLibraryA.KERNEL32(?), ref: 02CB2D4A
                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02CB2D61
                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02CB2D77
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02CB2D99
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 02CB2DA0
                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02CB2DCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                      • API String ID: 233223969-3847274415
                                                                      • Opcode ID: b704abb95bfb1243d5db86f31a0365e8be8fb652bc436fc6157d9e141271d4f5
                                                                      • Instruction ID: defc6f2202987a6ef5fded376fd12aab68fd8be1d78fc10fdf9e8d31d6db08d2
                                                                      • Opcode Fuzzy Hash: b704abb95bfb1243d5db86f31a0365e8be8fb652bc436fc6157d9e141271d4f5
                                                                      • Instruction Fuzzy Hash: 62219D71D40626EBCB22AF65DC44AEEBBB8FF48B50F104556F805E3200D370AA82CBD1
                                                                      Function 02CB80C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1251 2cb80c9-2cb80ed call 2cb6ec3 1254 2cb80f9-2cb8115 call 2cb704c 1251->1254 1255 2cb80ef call 2cb7ee6 1251->1255 1260 2cb8225-2cb822b 1254->1260 1261 2cb811b-2cb8121 1254->1261 1258 2cb80f4 1255->1258 1258->1260 1262 2cb822d-2cb8233 1260->1262 1263 2cb826c-2cb8273 1260->1263 1261->1260 1264 2cb8127-2cb812a 1261->1264 1262->1263 1265 2cb8235-2cb823f call 2cb675c 1262->1265 1264->1260 1266 2cb8130-2cb8167 call 2cb2544 RegOpenKeyExA 1264->1266 1269 2cb8244-2cb824b 1265->1269 1272 2cb816d-2cb818b RegQueryValueExA 1266->1272 1273 2cb8216-2cb8222 call 2cbee2a 1266->1273 1269->1263 1271 2cb824d-2cb8269 call 2cb24c2 call 2cbec2e 1269->1271 1271->1263 1275 2cb818d-2cb8191 1272->1275 1276 2cb81f7-2cb81fe 1272->1276 1273->1260 1275->1276 1282 2cb8193-2cb8196 1275->1282 1280 2cb820d-2cb8210 RegCloseKey 1276->1280 1281 2cb8200-2cb8206 call 2cbec2e 1276->1281 1280->1273 1289 2cb820c 1281->1289 1282->1276 1285 2cb8198-2cb81a8 call 2cbebcc 1282->1285 1285->1280 1291 2cb81aa-2cb81c2 RegQueryValueExA 1285->1291 1289->1280 1291->1276 1292 2cb81c4-2cb81ca 1291->1292 1293 2cb81cd-2cb81d2 1292->1293 1293->1293 1294 2cb81d4-2cb81e5 call 2cbebcc 1293->1294 1294->1280 1297 2cb81e7-2cb81f5 call 2cbef00 1294->1297 1297->1289
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02CB815F
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02CBA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02CB8187
                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02CBA45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02CB81BE
                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02CB8210
                                                                        • Part of subcall function 02CB675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 02CB677E
                                                                        • Part of subcall function 02CB675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 02CB679A
                                                                        • Part of subcall function 02CB675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 02CB67B0
                                                                        • Part of subcall function 02CB675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 02CB67BF
                                                                        • Part of subcall function 02CB675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 02CB67D3
                                                                        • Part of subcall function 02CB675C: ReadFile.KERNELBASE(000000FF,?,00000040,02CB8244,00000000,?,75920F10,00000000), ref: 02CB6807
                                                                        • Part of subcall function 02CB675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02CB681F
                                                                        • Part of subcall function 02CB675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 02CB683E
                                                                        • Part of subcall function 02CB675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 02CB685C
                                                                        • Part of subcall function 02CBEC2E: GetProcessHeap.KERNEL32(00000000,02CBEA27,00000000,02CBEA27,00000000), ref: 02CBEC41
                                                                        • Part of subcall function 02CBEC2E: RtlFreeHeap.NTDLL(00000000), ref: 02CBEC48
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                      • String ID: C:\Windows\SysWOW64\djiglggs\bvvnqaeq.exe
                                                                      • API String ID: 124786226-1056034784
                                                                      • Opcode ID: e3bfc92cb4e8b7610648ed956e0d5c5df094c5c1df0c2d686900c4d6ef536796
                                                                      • Instruction ID: 01aded223def4c891f2e45614bf230b35321d982bf5a27ce73cbd452402bbde2
                                                                      • Opcode Fuzzy Hash: e3bfc92cb4e8b7610648ed956e0d5c5df094c5c1df0c2d686900c4d6ef536796
                                                                      • Instruction Fuzzy Hash: 94417FB2D41149BFEB12ABA4DD80EFE776DAF44704F240A6AE901E2100E7709F549B62
                                                                      Function 02CB1AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1300 2cb1ac3-2cb1adc LoadLibraryA 1301 2cb1b6b-2cb1b70 1300->1301 1302 2cb1ae2-2cb1af3 GetProcAddress 1300->1302 1303 2cb1b6a 1302->1303 1304 2cb1af5-2cb1b01 1302->1304 1303->1301 1305 2cb1b1c-2cb1b27 GetAdaptersAddresses 1304->1305 1306 2cb1b29-2cb1b2b 1305->1306 1307 2cb1b03-2cb1b12 call 2cbebed 1305->1307 1309 2cb1b5b-2cb1b5e 1306->1309 1310 2cb1b2d-2cb1b32 1306->1310 1307->1306 1316 2cb1b14-2cb1b1b 1307->1316 1311 2cb1b69 1309->1311 1312 2cb1b60-2cb1b68 call 2cbec2e 1309->1312 1310->1311 1314 2cb1b34-2cb1b3b 1310->1314 1311->1303 1312->1311 1317 2cb1b3d-2cb1b52 1314->1317 1318 2cb1b54-2cb1b59 1314->1318 1316->1305 1317->1317 1317->1318 1318->1309 1318->1314
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02CB1AD4
                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02CB1AE9
                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02CB1B20
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                      • API String ID: 3646706440-1087626847
                                                                      • Opcode ID: 2f15ed765d5762bede05345f12fcf9af231ac819503379938a0e5cc97b2883c8
                                                                      • Instruction ID: 00b581cbc400786cb0a56b0bcf0c91fb436c9c526b418e0b5cd4d792ab5bafaa
                                                                      • Opcode Fuzzy Hash: 2f15ed765d5762bede05345f12fcf9af231ac819503379938a0e5cc97b2883c8
                                                                      • Instruction Fuzzy Hash: 9111D6B1E01128EFDB179BA9DC948EDFBBAEF84B10F284155E009E3104E7B04B40DB94
                                                                      Function 02CBE3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1320 2cbe3ca-2cbe3ee RegOpenKeyExA 1321 2cbe528-2cbe52d 1320->1321 1322 2cbe3f4-2cbe3fb 1320->1322 1323 2cbe3fe-2cbe403 1322->1323 1323->1323 1324 2cbe405-2cbe40f 1323->1324 1325 2cbe411-2cbe413 1324->1325 1326 2cbe414-2cbe452 call 2cbee08 call 2cbf1ed RegQueryValueExA 1324->1326 1325->1326 1331 2cbe458-2cbe486 call 2cbf1ed RegQueryValueExA 1326->1331 1332 2cbe51d-2cbe527 RegCloseKey 1326->1332 1335 2cbe488-2cbe48a 1331->1335 1332->1321 1335->1332 1336 2cbe490-2cbe4a1 call 2cbdb2e 1335->1336 1336->1332 1339 2cbe4a3-2cbe4a6 1336->1339 1340 2cbe4a9-2cbe4d3 call 2cbf1ed RegQueryValueExA 1339->1340 1343 2cbe4e8-2cbe4ea 1340->1343 1344 2cbe4d5-2cbe4da 1340->1344 1343->1332 1346 2cbe4ec-2cbe516 call 2cb2544 call 2cbe332 1343->1346 1344->1343 1345 2cbe4dc-2cbe4e6 1344->1345 1345->1340 1345->1343 1346->1332
                                                                      APIs
                                                                      • RegOpenKeyExA.KERNELBASE(80000001,02CBE5F2,00000000,00020119,02CBE5F2,02CC22F8), ref: 02CBE3E6
                                                                      • RegQueryValueExA.ADVAPI32(02CBE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02CBE44E
                                                                      • RegQueryValueExA.ADVAPI32(02CBE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02CBE482
                                                                      • RegQueryValueExA.ADVAPI32(02CBE5F2,?,00000000,?,80000001,?), ref: 02CBE4CF
                                                                      • RegCloseKey.ADVAPI32(02CBE5F2,?,?,?,?,000000C8,000000E4), ref: 02CBE520
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: QueryValue$CloseOpen
                                                                      • String ID:
                                                                      • API String ID: 1586453840-0
                                                                      • Opcode ID: 25873a0fa006667eea8f2012735bc30ce06198b7f639f8c27b29ed671f878d65
                                                                      • Instruction ID: 4bcbb85fa4db9c4696f6a6ddcda287dfa22a9e2f7bf22d72caa444f5c6bc497b
                                                                      • Opcode Fuzzy Hash: 25873a0fa006667eea8f2012735bc30ce06198b7f639f8c27b29ed671f878d65
                                                                      • Instruction Fuzzy Hash: 2D4106B2D40219AFEF12AFD4DC80EEEBBB9FF48704F544566E910A2150E3319A159FA0
                                                                      Function 02CBF26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1351 2cbf26d-2cbf303 setsockopt * 5
                                                                      APIs
                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02CBF2A0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02CBF2C0
                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02CBF2DD
                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02CBF2EC
                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02CBF2FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: setsockopt
                                                                      • String ID:
                                                                      • API String ID: 3981526788-0
                                                                      • Opcode ID: 23f6f73a0b43f296650bd815c0abb2650bedc93dfcdd173cb413842dc32fdf23
                                                                      • Instruction ID: 8edb832e54facaf98497fd41cd69ccda90e3f1465c501349d6a1722f85582e70
                                                                      • Opcode Fuzzy Hash: 23f6f73a0b43f296650bd815c0abb2650bedc93dfcdd173cb413842dc32fdf23
                                                                      • Instruction Fuzzy Hash: 9011FBB1A40248BAEB11DE94CD41F9E7FBCEB44751F004066BB04EA1D0E6B19A45CB94
                                                                      Function 02CB1BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1352 2cb1bdf-2cb1c04 call 2cb1ac3 1354 2cb1c09-2cb1c0b 1352->1354 1355 2cb1c5a-2cb1c5e 1354->1355 1356 2cb1c0d-2cb1c1d GetComputerNameA 1354->1356 1357 2cb1c1f-2cb1c24 1356->1357 1358 2cb1c45-2cb1c57 GetVolumeInformationA 1356->1358 1357->1358 1359 2cb1c26-2cb1c3b 1357->1359 1358->1355 1359->1359 1360 2cb1c3d-2cb1c3f 1359->1360 1360->1358 1361 2cb1c41-2cb1c43 1360->1361 1361->1355
                                                                      APIs
                                                                        • Part of subcall function 02CB1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02CB1AD4
                                                                        • Part of subcall function 02CB1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02CB1AE9
                                                                        • Part of subcall function 02CB1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02CB1B20
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02CB1C15
                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02CB1C51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: hi_id$localcfg
                                                                      • API String ID: 2794401326-2393279970
                                                                      • Opcode ID: 1b57044edacb201c0dd7a467af21b8f29e96229f99d0d9cda4288e75bc339789
                                                                      • Instruction ID: fd1bb52c113e50b9c12777d1882117a0e464efb68bfdfd71bd5b69a4b6da2704
                                                                      • Opcode Fuzzy Hash: 1b57044edacb201c0dd7a467af21b8f29e96229f99d0d9cda4288e75bc339789
                                                                      • Instruction Fuzzy Hash: 7F01D2B2A00518BFEB11DEF9C8D19EFBBBCEB44656F140436E606E3100D6B09E4496A0
                                                                      Function 02CB1B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CB1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02CB1AD4
                                                                        • Part of subcall function 02CB1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02CB1AE9
                                                                        • Part of subcall function 02CB1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02CB1B20
                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 02CB1BA3
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02CB1EFD,00000000,00000000,00000000,00000000), ref: 02CB1BB8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                      • String ID: localcfg
                                                                      • API String ID: 2794401326-1857712256
                                                                      • Opcode ID: 97c322c057ff542d32f2f8da470e5d10ee8f2583752bc400b835a6451ebb3526
                                                                      • Instruction ID: 5a6dfefba50079dd7cc517308e3f300a29d1c224a0ab5e0880ec6f619229c1f5
                                                                      • Opcode Fuzzy Hash: 97c322c057ff542d32f2f8da470e5d10ee8f2583752bc400b835a6451ebb3526
                                                                      • Instruction Fuzzy Hash: 9C014FB7D00118BFE7019AE9C8819EFFABDAF48664F150561E605E7140D5705E044AE0
                                                                      Function 02CB2684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • inet_addr.WS2_32(00000001), ref: 02CB2693
                                                                      • gethostbyname.WS2_32(00000001), ref: 02CB269F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynameinet_addr
                                                                      • String ID: time_cfg
                                                                      • API String ID: 1594361348-2401304539
                                                                      • Opcode ID: 3fcf8531fde7bef7e3b8824ef89658f704db78ce3b772ac4f2fb5119a50164a3
                                                                      • Instruction ID: 475293950cbeae67b43071745d9b81d417860a840db2195ab5d18dae63e90b6e
                                                                      • Opcode Fuzzy Hash: 3fcf8531fde7bef7e3b8824ef89658f704db78ce3b772ac4f2fb5119a50164a3
                                                                      • Instruction Fuzzy Hash: 42E0C230A040118FCB118B38F444BD977E4EF8A230F114681F840C7194C730DD819781
                                                                      Function 02CBE52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CBDD05: GetTickCount.KERNEL32 ref: 02CBDD0F
                                                                        • Part of subcall function 02CBDD05: InterlockedExchange.KERNEL32(02CC36B4,00000001), ref: 02CBDD44
                                                                        • Part of subcall function 02CBDD05: GetCurrentThreadId.KERNEL32 ref: 02CBDD53
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,02CBA445), ref: 02CBE558
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,02CBA445), ref: 02CBE583
                                                                      • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,02CBA445), ref: 02CBE5B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                      • String ID:
                                                                      • API String ID: 3683885500-0
                                                                      • Opcode ID: 1435975287f660dc2935d91a748ba1ac9fd4b4b40f96741477fa7470cc8cc6cc
                                                                      • Instruction ID: a085ba779416c8183a98e285669f26e6626130a512f7fbf98d7da4002b03ef80
                                                                      • Opcode Fuzzy Hash: 1435975287f660dc2935d91a748ba1ac9fd4b4b40f96741477fa7470cc8cc6cc
                                                                      • Instruction Fuzzy Hash: FF2129B29803007AF2227A716C55FDB3E1DDF95B20F600558FE0EB21C3EA51E514A9F2
                                                                      Function 02CB877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000003E8), ref: 02CB88A5
                                                                        • Part of subcall function 02CBF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02CBE342,00000000,7508EA50,80000001,00000000,02CBE513,?,00000000,00000000,?,000000E4), ref: 02CBF089
                                                                        • Part of subcall function 02CBF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02CBE342,00000000,7508EA50,80000001,00000000,02CBE513,?,00000000,00000000,?,000000E4,000000C8), ref: 02CBF093
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$FileSystem$Sleep
                                                                      • String ID: localcfg$rresolv
                                                                      • API String ID: 1561729337-486471987
                                                                      • Opcode ID: 14da9f5f169c4bbee016b674b44397e44bf154b81bf4cd8cd0706a60298f2438
                                                                      • Instruction ID: 73280c18617845be9879d5d66809ad92475c9e4a2f8cbcf80aa0853e1ad54410
                                                                      • Opcode Fuzzy Hash: 14da9f5f169c4bbee016b674b44397e44bf154b81bf4cd8cd0706a60298f2438
                                                                      • Instruction Fuzzy Hash: 2521E9319883156AF716B7A4AC46FEA379EDF54714F700A1DFD04D61C0EFA2864099E3
                                                                      Function 02CB4000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02CC22F8,02CB42B6,00000000,00000001,02CC22F8,00000000,?,02CB98FD), ref: 02CB4021
                                                                      • GetLastError.KERNEL32(?,02CB98FD,00000001,00000100,02CC22F8,02CBA3C7), ref: 02CB402C
                                                                      • Sleep.KERNEL32(000001F4,?,02CB98FD,00000001,00000100,02CC22F8,02CBA3C7), ref: 02CB4046
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateErrorFileLastSleep
                                                                      • String ID:
                                                                      • API String ID: 408151869-0
                                                                      • Opcode ID: 0fa28b66d247b501f699833a77f4b6f24d4a949f469155c2f3b629d5a282f817
                                                                      • Instruction ID: a8541dabc3d4b4a40b1f2b2cedc1480deb9079f0d4971cf5795dc5093fbbe9f8
                                                                      • Opcode Fuzzy Hash: 0fa28b66d247b501f699833a77f4b6f24d4a949f469155c2f3b629d5a282f817
                                                                      • Instruction Fuzzy Hash: A1F0A731648201AAD73A0A34BC9AB9A3265EFC1734F264B24F3B5E20D1C73049819B95
                                                                      Function 02CBDB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentVariableA.KERNEL32(02CBDC19,?,00000104), ref: 02CBDB7F
                                                                      • lstrcpyA.KERNEL32(?,02CC28F8), ref: 02CBDBA4
                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02CBDBC2
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                      • String ID:
                                                                      • API String ID: 2536392590-0
                                                                      • Opcode ID: df666cf51c264c9eaac2052f3f630b7c78968aca92c1bdea0ac15acc37340425
                                                                      • Instruction ID: e7696e9e9c59e407ed029854d3005567928238f33459338106a2193146cdbc5a
                                                                      • Opcode Fuzzy Hash: df666cf51c264c9eaac2052f3f630b7c78968aca92c1bdea0ac15acc37340425
                                                                      • Instruction Fuzzy Hash: 17F09A70540209EBEF219F64ED89FE93B69AB00318F2046A4FB91A40D0D7F2D695CB64
                                                                      Function 02CBEC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02CBEC5E
                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02CBEC72
                                                                      • GetTickCount.KERNEL32 ref: 02CBEC78
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                      • String ID:
                                                                      • API String ID: 1209300637-0
                                                                      • Opcode ID: 3b5e79bae9ae3467735004f3a8ff115f8655c93073b78601fe18d553433b8fe4
                                                                      • Instruction ID: afa31a867ef5dc8fc98f99efcf1fa37c84ea576e28318cb936188a4d39add3b2
                                                                      • Opcode Fuzzy Hash: 3b5e79bae9ae3467735004f3a8ff115f8655c93073b78601fe18d553433b8fe4
                                                                      • Instruction Fuzzy Hash: 96E09AF5C50104FFE701ABB4EC4AE6B77BCFB08314F610B50F911D6180DA709A148BA0
                                                                      Function 02CB30B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 02CB30D8
                                                                      • gethostbyname.WS2_32(?), ref: 02CB30E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbynamegethostname
                                                                      • String ID:
                                                                      • API String ID: 3961807697-0
                                                                      • Opcode ID: 13b6d9b4f5ebff286733588e3b052adbdbed1a793b75e194c3ff344d19dc1195
                                                                      • Instruction ID: 3ef064426c2a20eb6eb757dc6dc1c6efeaf93e098838ad8a63421cf511e5b85d
                                                                      • Opcode Fuzzy Hash: 13b6d9b4f5ebff286733588e3b052adbdbed1a793b75e194c3ff344d19dc1195
                                                                      • Instruction Fuzzy Hash: 8DE09272D00119ABCF00EBA8EC89FDA77ECFF04308F180561F905E3244EA34E9048BA0
                                                                      Function 02CBEC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CBEBA0: GetProcessHeap.KERNEL32(00000000,00000000,02CBEC0A,00000000,80000001,?,02CBDB55,7FFF0001), ref: 02CBEBAD
                                                                        • Part of subcall function 02CBEBA0: HeapSize.KERNEL32(00000000,?,02CBDB55,7FFF0001), ref: 02CBEBB4
                                                                      • GetProcessHeap.KERNEL32(00000000,02CBEA27,00000000,02CBEA27,00000000), ref: 02CBEC41
                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 02CBEC48
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$FreeSize
                                                                      • String ID:
                                                                      • API String ID: 1305341483-0
                                                                      • Opcode ID: fe48cd07354a284587df3656ae64b5c5e9a8a543bb4a6698131d0bc37c002aad
                                                                      • Instruction ID: 8fc93f2b761b4a0e3d6f3e9c628047227e7735bf174fc676042712de932823bd
                                                                      • Opcode Fuzzy Hash: fe48cd07354a284587df3656ae64b5c5e9a8a543bb4a6698131d0bc37c002aad
                                                                      • Instruction Fuzzy Hash: 2DC01272846630ABC9522650BC0CFDBAB589F45A12F590909F405671508B60994046E5
                                                                      Function 02CBEBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02CBEBFE,7FFF0001,?,02CBDB55,7FFF0001), ref: 02CBEBD3
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,02CBDB55,7FFF0001), ref: 02CBEBDA
                                                                        • Part of subcall function 02CBEB74: GetProcessHeap.KERNEL32(00000000,00000000,02CBEC28,00000000,?,02CBDB55,7FFF0001), ref: 02CBEB81
                                                                        • Part of subcall function 02CBEB74: HeapSize.KERNEL32(00000000,?,02CBDB55,7FFF0001), ref: 02CBEB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocateSize
                                                                      • String ID:
                                                                      • API String ID: 2559512979-0
                                                                      • Opcode ID: cbe70f6c1a980fae68449f8734d01e8e1079caf897ff7b21af3ea61d451922d7
                                                                      • Instruction ID: d8568813f68b6417b04e282bff4236b2e6f1877f20a3bf9f7b3d91d00c33bf47
                                                                      • Opcode Fuzzy Hash: cbe70f6c1a980fae68449f8734d01e8e1079caf897ff7b21af3ea61d451922d7
                                                                      • Instruction Fuzzy Hash: 30C08072544220ABC60127A57C0CFDA7E94DF04752F140504F505C1260C73048508795
                                                                      Function 02CBF43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • recv.WS2_32(000000C8,?,00000000,02CBCA44), ref: 02CBF476
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: recv
                                                                      • String ID:
                                                                      • API String ID: 1507349165-0
                                                                      • Opcode ID: cb5415beffd9ad7f56f01b37b570b8a1d25a6edb85eb04da61dffa18f407d1a8
                                                                      • Instruction ID: 6a594a2c41b714f3d8a0d618b47117b96d1496a0811d8d1f9f0e68a913694b8c
                                                                      • Opcode Fuzzy Hash: cb5415beffd9ad7f56f01b37b570b8a1d25a6edb85eb04da61dffa18f407d1a8
                                                                      • Instruction Fuzzy Hash: 5EF01C7220155AAB9B129E9ADC84DEB3BAEFFC9250B040526FA14D7210D631E8218FA0
                                                                      Function 02CB1978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • closesocket.WS2_32(00000000), ref: 02CB1992
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: closesocket
                                                                      • String ID:
                                                                      • API String ID: 2781271927-0
                                                                      • Opcode ID: e8d17e0f7b514321e88f2fda396f21e6758813658434d176ae66b448d88cd644
                                                                      • Instruction ID: a56aecfa1952b4343d2809ec431095c9614a7c7c8ce3dde694c9a69e83de0491
                                                                      • Opcode Fuzzy Hash: e8d17e0f7b514321e88f2fda396f21e6758813658434d176ae66b448d88cd644
                                                                      • Instruction Fuzzy Hash: 20D012675486316A52122759BC045BFBB9CDF496A2F21941AFC48C0550D734C9419B95
                                                                      Function 02CBDD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02CBDDB5
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 1586166983-0
                                                                      • Opcode ID: cfff1e7ef6ac8cf206fca2a7c551cc5b091141c5b64a77368ba368c9ca78891b
                                                                      • Instruction ID: c456503af1648f0070b71d7d018209f56cc8f634e37f9792060bec5fac80a612
                                                                      • Opcode Fuzzy Hash: cfff1e7ef6ac8cf206fca2a7c551cc5b091141c5b64a77368ba368c9ca78891b
                                                                      • Instruction Fuzzy Hash: 8CF01271604302CBCB22CE75A844696B7E4EFC6629F29492EE5D6D2140D730D995CB71

                                                                      Non-executed Functions

                                                                      Function 02CB637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02CB9816,EntryPoint), ref: 02CB638F
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02CB9816,EntryPoint), ref: 02CB63A9
                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02CB63CA
                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02CB63EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                      • String ID:
                                                                      • API String ID: 1965334864-0
                                                                      • Opcode ID: 465fe465d6a791068333d33e78abbe72a4fec56cc216e954424d9a962136c465
                                                                      • Instruction ID: 15c7667dcc60a07b15e5148d1dd398d57a69f6c08bf81d0ab2a84c2e0d7c22f0
                                                                      • Opcode Fuzzy Hash: 465fe465d6a791068333d33e78abbe72a4fec56cc216e954424d9a962136c465
                                                                      • Instruction Fuzzy Hash: CD1191B1A00219BFEB128F65DC49FDB3BACEF447A5F214524F909E6280D770DD108AA0
                                                                      Function 02CB1000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02CB1839,02CB9646), ref: 02CB1012
                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02CB10C2
                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02CB10E1
                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02CB1101
                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02CB1121
                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02CB1140
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02CB1160
                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02CB1180
                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02CB119F
                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02CB11BF
                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02CB11DF
                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02CB11FE
                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02CB121A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressProc$LibraryLoad
                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                      • API String ID: 2238633743-3228201535
                                                                      • Opcode ID: 24464db911a41442cf7e511d844e9f5b4be971f5fad59b2075ed9c731595d0dd
                                                                      • Instruction ID: 854c96362d53a414c21da4816eabe1b2dfd2c5e5d9380e3435ad46ae994b280b
                                                                      • Opcode Fuzzy Hash: 24464db911a41442cf7e511d844e9f5b4be971f5fad59b2075ed9c731595d0dd
                                                                      • Instruction Fuzzy Hash: 2D51AB71D8268196E71A8A6DBC507D237E86B88334F3C47AAD929D32D0D7F0C691CF91
                                                                      Function 02CBB211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 02CBB2B3
                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 02CBB2C2
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02CBB2D0
                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 02CBB2E1
                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02CBB31A
                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 02CBB329
                                                                      • wsprintfA.USER32 ref: 02CBB3B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                      • API String ID: 766114626-2976066047
                                                                      • Opcode ID: b7968730132023cca89d309486c1dc711f91de3a5aa79805266362fe9783be13
                                                                      • Instruction ID: ba1b46f1b7d558e036b47b1e119ca9ced2cfe02506ce9f996f39b15fd92d1f4e
                                                                      • Opcode Fuzzy Hash: b7968730132023cca89d309486c1dc711f91de3a5aa79805266362fe9783be13
                                                                      • Instruction Fuzzy Hash: E45139B1E00A1DEACF15CFD5D9889EFBBB9FF48308F2045ADE605A6150D7344A89CB91
                                                                      Function 02CB6511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                      • API String ID: 2400214276-165278494
                                                                      • Opcode ID: 751daa6041bd8bd05b93a82931806bf63519853473823b72a7fba2b8104a7b8a
                                                                      • Instruction ID: e40967196dbaa43e022164f84afde19f5196edafb63da69067fc1fd6e1d518b0
                                                                      • Opcode Fuzzy Hash: 751daa6041bd8bd05b93a82931806bf63519853473823b72a7fba2b8104a7b8a
                                                                      • Instruction Fuzzy Hash: 14614A72A40208EFEB619FB4DC45FEA77E9FF48300F248569F969D2121EA719950CF50
                                                                      Function 02CBA7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 02CBA7FB
                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 02CBA87E
                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 02CBA893
                                                                      • wsprintfA.USER32 ref: 02CBA8AF
                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 02CBA8D2
                                                                      • wsprintfA.USER32 ref: 02CBA8E2
                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 02CBA97C
                                                                      • wsprintfA.USER32 ref: 02CBA9B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                      • API String ID: 3650048968-2394369944
                                                                      • Opcode ID: fbbc86cfd6f13ca74b50bb4cee377ae89b9b1e6357672480e6de0351f4cd3337
                                                                      • Instruction ID: c79eddda36e174d6c517a8aa5d8980d87166812200a0f8e1a1c97a51f68068cf
                                                                      • Opcode Fuzzy Hash: fbbc86cfd6f13ca74b50bb4cee377ae89b9b1e6357672480e6de0351f4cd3337
                                                                      • Instruction Fuzzy Hash: 17A15A71984345EEEF238A58DC85FEE776EFF40708F240466F982A7080DB328A44CB55
                                                                      Function 02CB1280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(?), ref: 02CB139A
                                                                      • lstrlenW.KERNEL32(-00000003), ref: 02CB1571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExecuteShelllstrlen
                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                      • API String ID: 1628651668-3716895483
                                                                      • Opcode ID: bb7339478fc5b2c644789f1485b00b0d6300b21d07a3a84cdff827a875832a79
                                                                      • Instruction ID: e3b701aced8e04700a1641b6bc5698e8dd81a303e4096b9519dac0532ef3f632
                                                                      • Opcode Fuzzy Hash: bb7339478fc5b2c644789f1485b00b0d6300b21d07a3a84cdff827a875832a79
                                                                      • Instruction Fuzzy Hash: 80F19BB55083419FD321DF64C898BABB7E5FF88304F188A2DF99A97280D7B4D944CB52
                                                                      Function 02CB2A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 02CB2A83
                                                                      • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 02CB2A86
                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 02CB2AA0
                                                                      • htons.WS2_32(00000000), ref: 02CB2ADB
                                                                      • select.WS2_32 ref: 02CB2B28
                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 02CB2B4A
                                                                      • htons.WS2_32(?), ref: 02CB2B71
                                                                      • htons.WS2_32(?), ref: 02CB2B8C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02CB2BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                      • String ID:
                                                                      • API String ID: 1639031587-0
                                                                      • Opcode ID: fc6a80d91308c739bf87333de98924ff06e0bf234af8daa38b46f7214b2016cc
                                                                      • Instruction ID: 231a278d71a63d1037cf9892c48db0d225e13b1779bc63cee67a5acd13b9ebbb
                                                                      • Opcode Fuzzy Hash: fc6a80d91308c739bf87333de98924ff06e0bf234af8daa38b46f7214b2016cc
                                                                      • Instruction Fuzzy Hash: 0061E3B19047049FE7229F61DC48BABBBE8FF88796F100909FD8597250D7B4D9408BA3
                                                                      Function 02CB704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 02CB70C2
                                                                      • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 02CB719E
                                                                      • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 02CB71B2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02CB7208
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02CB7291
                                                                      • ___ascii_stricmp.LIBCMT ref: 02CB72C2
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02CB72D0
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02CB7314
                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02CB738D
                                                                      • RegCloseKey.ADVAPI32(75920F10), ref: 02CB73D8
                                                                        • Part of subcall function 02CBF1A5: lstrlenA.KERNEL32(000000C8,000000E4,02CC22F8,000000C8,02CB7150,?), ref: 02CBF1AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                      • String ID: $"
                                                                      • API String ID: 4293430545-3817095088
                                                                      • Opcode ID: 9aed3989b6529218227944e11c9b53c4d5dd1ce7b3048c0fe617b583286b228d
                                                                      • Instruction ID: a1c27577db0a49cd729fc2942366c60107012d698d5969edfbed26a5e7ddca7b
                                                                      • Opcode Fuzzy Hash: 9aed3989b6529218227944e11c9b53c4d5dd1ce7b3048c0fe617b583286b228d
                                                                      • Instruction Fuzzy Hash: B5B19172C44209EEDF169FA4DC44BEEB7B9EF84311F200566F905E6090EB719B88DB61
                                                                      Function 02CBAD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 02CBAD98
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 02CBADA6
                                                                        • Part of subcall function 02CBAD08: gethostname.WS2_32(?,00000080), ref: 02CBAD1C
                                                                        • Part of subcall function 02CBAD08: lstrlenA.KERNEL32(00000000), ref: 02CBAD60
                                                                        • Part of subcall function 02CBAD08: lstrlenA.KERNEL32(00000000), ref: 02CBAD69
                                                                        • Part of subcall function 02CBAD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02CBAD7F
                                                                        • Part of subcall function 02CB30B5: gethostname.WS2_32(?,00000080), ref: 02CB30D8
                                                                        • Part of subcall function 02CB30B5: gethostbyname.WS2_32(?), ref: 02CB30E2
                                                                      • wsprintfA.USER32 ref: 02CBAEA5
                                                                        • Part of subcall function 02CBA7A3: inet_ntoa.WS2_32(?), ref: 02CBA7A9
                                                                      • wsprintfA.USER32 ref: 02CBAE4F
                                                                      • wsprintfA.USER32 ref: 02CBAE5E
                                                                        • Part of subcall function 02CBEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02CBEF92
                                                                        • Part of subcall function 02CBEF7C: lstrlenA.KERNEL32(?), ref: 02CBEF99
                                                                        • Part of subcall function 02CBEF7C: lstrlenA.KERNEL32(00000000), ref: 02CBEFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                      • API String ID: 3631595830-1816598006
                                                                      • Opcode ID: 4acf31b53873843bceb1e17255ea76a28a549341e184b7d2c43fba3fd4030012
                                                                      • Instruction ID: d2f7b1c491c54931e8f4113f9c74ac763edee46dbb9c3eadd827b71c36f3b28c
                                                                      • Opcode Fuzzy Hash: 4acf31b53873843bceb1e17255ea76a28a549341e184b7d2c43fba3fd4030012
                                                                      • Instruction Fuzzy Hash: 1F412FB290024CABEF26EFA1DC45EEE3BADFF08700F24042AF91592151EA75E5549F50
                                                                      Function 02CB2DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,02CB2F0F,?,02CB20FF,02CC2000), ref: 02CB2E01
                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02CB2F0F,?,02CB20FF,02CC2000), ref: 02CB2E11
                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02CB2E2E
                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02CB2F0F,?,02CB20FF,02CC2000), ref: 02CB2E4C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,02CB2F0F,?,02CB20FF,02CC2000), ref: 02CB2E4F
                                                                      • htons.WS2_32(00000035), ref: 02CB2E88
                                                                      • inet_addr.WS2_32(?), ref: 02CB2E93
                                                                      • gethostbyname.WS2_32(?), ref: 02CB2EA6
                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02CB2F0F,?,02CB20FF,02CC2000), ref: 02CB2EE3
                                                                      • HeapFree.KERNEL32(00000000,?,00000000,02CB2F0F,?,02CB20FF,02CC2000), ref: 02CB2EE6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                      • API String ID: 929413710-2099955842
                                                                      • Opcode ID: 08e0cc45c7690d919379e00470967f746cb5229f3d5528d1439b3e8781df82c1
                                                                      • Instruction ID: 38ab8149b19c4cdb37a7b72f26135a262689e72369165f8192e9b11d93fc0dac
                                                                      • Opcode Fuzzy Hash: 08e0cc45c7690d919379e00470967f746cb5229f3d5528d1439b3e8781df82c1
                                                                      • Instruction Fuzzy Hash: 9D31F379D40689ABDF129BBA8C48BEF7778AF40366F200615FC14E3290DB30D641CB52
                                                                      Function 02CB9326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetVersionExA.KERNEL32(?,?,02CB9DD7,?,00000022,?,?,00000000,00000001), ref: 02CB9340
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02CB9DD7,?,00000022,?,?,00000000,00000001), ref: 02CB936E
                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,02CB9DD7,?,00000022,?,?,00000000,00000001), ref: 02CB9375
                                                                      • wsprintfA.USER32 ref: 02CB93CE
                                                                      • wsprintfA.USER32 ref: 02CB940C
                                                                      • wsprintfA.USER32 ref: 02CB948D
                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02CB94F1
                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02CB9526
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02CB9571
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                      • String ID: runas
                                                                      • API String ID: 3696105349-4000483414
                                                                      • Opcode ID: daea4ec20f55f8114133ec3623075fc53173339c24ec91f8188f85072ad53117
                                                                      • Instruction ID: 7c87905ecb8bd7c0fa0fe5e01db012d76493a24b7d10c34ca4382c9f2ee2d97b
                                                                      • Opcode Fuzzy Hash: daea4ec20f55f8114133ec3623075fc53173339c24ec91f8188f85072ad53117
                                                                      • Instruction Fuzzy Hash: 9FA19DB2980248EFEB229FA1CC85FDE3BADEF44741F200126FA1592151E775DA44DFA1
                                                                      Function 02CB2011 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CB2078
                                                                      • GetTickCount.KERNEL32 ref: 02CB20D4
                                                                      • GetTickCount.KERNEL32 ref: 02CB20DB
                                                                      • GetTickCount.KERNEL32 ref: 02CB212B
                                                                      • GetTickCount.KERNEL32 ref: 02CB2132
                                                                      • GetTickCount.KERNEL32 ref: 02CB2142
                                                                        • Part of subcall function 02CBF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02CBE342,00000000,7508EA50,80000001,00000000,02CBE513,?,00000000,00000000,?,000000E4), ref: 02CBF089
                                                                        • Part of subcall function 02CBF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02CBE342,00000000,7508EA50,80000001,00000000,02CBE513,?,00000000,00000000,?,000000E4,000000C8), ref: 02CBF093
                                                                        • Part of subcall function 02CBE854: lstrcpyA.KERNEL32(00000001,?,?,02CBD8DF,00000001,localcfg,except_info,00100000,02CC0264), ref: 02CBE88B
                                                                        • Part of subcall function 02CBE854: lstrlenA.KERNEL32(00000001,?,02CBD8DF,00000001,localcfg,except_info,00100000,02CC0264), ref: 02CBE899
                                                                        • Part of subcall function 02CB1C5F: wsprintfA.USER32 ref: 02CB1CE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip$ip
                                                                      • API String ID: 3976553417-1099056323
                                                                      • Opcode ID: 37758e6e94d6164e7725b428d2643f6660a4fe3438e7a01cdf48009e0dcbc8e3
                                                                      • Instruction ID: b40f26c2590e04b44e7a19fab387419ba65aeb31a415ccd12f6e2d2acef372d1
                                                                      • Opcode Fuzzy Hash: 37758e6e94d6164e7725b428d2643f6660a4fe3438e7a01cdf48009e0dcbc8e3
                                                                      • Instruction Fuzzy Hash: B7515470D843458EE72AEF30FC45BD67BE9AF40324F200A1EEE0586198DBB09654DB93
                                                                      Function 02CBB3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • wsprintfA.USER32 ref: 02CBB467
                                                                        • Part of subcall function 02CBEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02CBEF92
                                                                        • Part of subcall function 02CBEF7C: lstrlenA.KERNEL32(?), ref: 02CBEF99
                                                                        • Part of subcall function 02CBEF7C: lstrlenA.KERNEL32(00000000), ref: 02CBEFA0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$wsprintf
                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                      • API String ID: 1220175532-2340906255
                                                                      • Opcode ID: aafd7259fea1c9dcc29bbc70b9d6699a23b566b997a09a41f79ffc24dd17d415
                                                                      • Instruction ID: 77b31fa4e8302d7af09eff4a89557acd1b557a20e7821638c752615fb6b4938a
                                                                      • Opcode Fuzzy Hash: aafd7259fea1c9dcc29bbc70b9d6699a23b566b997a09a41f79ffc24dd17d415
                                                                      • Instruction Fuzzy Hash: 7A4162B294011CBEEF02AAA4CCC5DFF7B6DEF49648F240029F905A2100DB75AE149BB1
                                                                      Function 02CBC2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CBA4C7: GetTickCount.KERNEL32 ref: 02CBA4D1
                                                                        • Part of subcall function 02CBA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02CBA4FA
                                                                      • GetTickCount.KERNEL32 ref: 02CBC31F
                                                                      • GetTickCount.KERNEL32 ref: 02CBC32B
                                                                      • GetTickCount.KERNEL32 ref: 02CBC363
                                                                      • GetTickCount.KERNEL32 ref: 02CBC378
                                                                      • GetTickCount.KERNEL32 ref: 02CBC44D
                                                                      • InterlockedIncrement.KERNEL32(02CBC4E4), ref: 02CBC4AE
                                                                      • CreateThread.KERNEL32(00000000,00000000,02CBB535,00000000,?,02CBC4E0), ref: 02CBC4C1
                                                                      • CloseHandle.KERNEL32(00000000,?,02CBC4E0,02CC3588,02CB8810), ref: 02CBC4CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                      • String ID: localcfg
                                                                      • API String ID: 1553760989-1857712256
                                                                      • Opcode ID: 9b6dbeb311451052d27a6a9ffb0bbdfe3acd028f2d4d103e11eb098d85ec745a
                                                                      • Instruction ID: 004e874a3ce184f237792d32e7e8d7e6d6f42fd096e55b2361a3b64bfffbc195
                                                                      • Opcode Fuzzy Hash: 9b6dbeb311451052d27a6a9ffb0bbdfe3acd028f2d4d103e11eb098d85ec745a
                                                                      • Instruction Fuzzy Hash: 1F5149B1A00B418FD7258F6AC5C466ABBE9FF88304B90593ED18BC7A90D774EA44CF14
                                                                      Function 02CBBE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02CBBE4F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02CBBE5B
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02CBBE67
                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02CBBF6A
                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02CBBF7F
                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02CBBF94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                      • API String ID: 1586166983-1625972887
                                                                      • Opcode ID: 235925a32c624c6d9a2ee82d98b0e58f88171569813879fdfa7a868e921890b0
                                                                      • Instruction ID: 46df23734e7f17bc5b5fe990c14cb8cc3766a4215ac5e637b2b7fc9eee31ec9f
                                                                      • Opcode Fuzzy Hash: 235925a32c624c6d9a2ee82d98b0e58f88171569813879fdfa7a868e921890b0
                                                                      • Instruction Fuzzy Hash: FF51B379A0065AEFDB129F65C884BDEBBB9AF4474CF544069EC429B210D731EE41CF90
                                                                      Function 02CB6A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6A7D
                                                                      • GetDiskFreeSpaceA.KERNEL32(02CB9E9D,02CB9A60,?,?,?,02CC22F8,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6ABB
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6B40
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6B4E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6B5F
                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6B6F
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6B7D
                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02CB9A60,?,?,02CB9E9D), ref: 02CB6B80
                                                                      • GetLastError.KERNEL32(?,?,?,02CB9A60,?,?,02CB9E9D,?,?,?,?,?,02CB9E9D,?,00000022,?), ref: 02CB6B96
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 3188212458-0
                                                                      • Opcode ID: eff7fa0bb2bf326203ea6323b1aa801ba9070c925fc1d7d98d682023dff88abe
                                                                      • Instruction ID: 939646af4f8fb5830a3b0602be5593180e257c3643ba32b515db03ad04b96b77
                                                                      • Opcode Fuzzy Hash: eff7fa0bb2bf326203ea6323b1aa801ba9070c925fc1d7d98d682023dff88abe
                                                                      • Instruction Fuzzy Hash: 7131C2B2D40249AFDB029FA4CC44BDEBB7DEF84310F254566E651A3240D7309A559FA1
                                                                      Function 02CB6F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameA.ADVAPI32(?,02CBD7C3), ref: 02CB6F7A
                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02CBD7C3), ref: 02CB6FC1
                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02CB6FE8
                                                                      • LocalFree.KERNEL32(00000120), ref: 02CB701F
                                                                      • wsprintfA.USER32 ref: 02CB7036
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                      • String ID: /%d$|
                                                                      • API String ID: 676856371-4124749705
                                                                      • Opcode ID: 4976cd0daf7671255a805addcc43a17bc0687c560aed2bf475b2a12e2157fead
                                                                      • Instruction ID: cbbd5c479e9d98ed1727360f4cc27822194581e7cf945274dee0ba40ba36af6a
                                                                      • Opcode Fuzzy Hash: 4976cd0daf7671255a805addcc43a17bc0687c560aed2bf475b2a12e2157fead
                                                                      • Instruction Fuzzy Hash: 3A311872900218EBDB02DFA9D848BDA7BBCEF04314F148166F859DB201EB35D718CB94
                                                                      Function 02CB6CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02CC22F8,000000E4,02CB6DDC,000000C8), ref: 02CB6CE7
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 02CB6CEE
                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02CB6D14
                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02CB6D2B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                      • API String ID: 1082366364-3395550214
                                                                      • Opcode ID: 9131bcdcfae397ad2b691cc55894fa5231a51363966202952530f2bcd5f0fa48
                                                                      • Instruction ID: 5c4c2d433089300642e9fd82e9b720362311d8fb77f8a877eaa7ee99ecde5216
                                                                      • Opcode Fuzzy Hash: 9131bcdcfae397ad2b691cc55894fa5231a51363966202952530f2bcd5f0fa48
                                                                      • Instruction Fuzzy Hash: 672135A1A80280B9F72356328C88FF77F4D8F82A05F3C054CFD04A6181CB958646A6A6
                                                                      Function 02CB977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessA.KERNEL32(00000000,02CB9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02CC22F8), ref: 02CB97B1
                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02CC22F8), ref: 02CB97EB
                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02CC22F8), ref: 02CB97F9
                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02CC22F8), ref: 02CB9831
                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02CC22F8), ref: 02CB984E
                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02CC22F8), ref: 02CB985B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                      • String ID: D
                                                                      • API String ID: 2981417381-2746444292
                                                                      • Opcode ID: f03c3fec032f6cc52a4729d05a14726c1f62c2abcdaacf874cd6520d23b6b31d
                                                                      • Instruction ID: 03251d50061368004199ceca622d1dbd42d7fa0cc6f746a1d2512f4ba806ed01
                                                                      • Opcode Fuzzy Hash: f03c3fec032f6cc52a4729d05a14726c1f62c2abcdaacf874cd6520d23b6b31d
                                                                      • Instruction Fuzzy Hash: 412127B1D41229ABDF229FA1DC49FEFBBBCEF09654F400561FA19E1140EB309654CEA0
                                                                      Function 02CBE8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CBDD05: GetTickCount.KERNEL32 ref: 02CBDD0F
                                                                        • Part of subcall function 02CBDD05: InterlockedExchange.KERNEL32(02CC36B4,00000001), ref: 02CBDD44
                                                                        • Part of subcall function 02CBDD05: GetCurrentThreadId.KERNEL32 ref: 02CBDD53
                                                                        • Part of subcall function 02CBDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02CBDDB5
                                                                      • lstrcpynA.KERNEL32(?,02CB1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02CBEAAA,?,?), ref: 02CBE8DE
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02CBEAAA,?,?,00000001,?,02CB1E84,?), ref: 02CBE935
                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02CBEAAA,?,?,00000001,?,02CB1E84,?,0000000A), ref: 02CBE93D
                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02CBEAAA,?,?,00000001,?,02CB1E84,?), ref: 02CBE94F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                      • String ID: flags_upd$localcfg
                                                                      • API String ID: 204374128-3505511081
                                                                      • Opcode ID: 3e2fac98ff432674ac442f0bcdeaaa6ff3c0978327c8bcf6b528954b20a41653
                                                                      • Instruction ID: d1a2ded7a9d274fb4595d0a7899c0562b85a978097c51020c38ea2e911fb6d7d
                                                                      • Opcode Fuzzy Hash: 3e2fac98ff432674ac442f0bcdeaaa6ff3c0978327c8bcf6b528954b20a41653
                                                                      • Instruction Fuzzy Hash: 48511E72D0020AAFCB12EFA8C9849EEBBF9FF48704F54456AE405A7210DB35EA55DF50
                                                                      Function 02CB6BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Code
                                                                      • String ID:
                                                                      • API String ID: 3609698214-0
                                                                      • Opcode ID: 6aead6e2e06316a931822bb36265f3a724ae52ae9cb861945e4bc7fb7dd33f64
                                                                      • Instruction ID: c3d0a60755aec76824c735c04e918b03def455f5726220aff689a1b44bf354cb
                                                                      • Opcode Fuzzy Hash: 6aead6e2e06316a931822bb36265f3a724ae52ae9cb861945e4bc7fb7dd33f64
                                                                      • Instruction Fuzzy Hash: 3E216D72904515FEDB126BA1ED48EDF3BACEF44766F304A15F502E2080EB31DA10EAB4
                                                                      Function 02CB9064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,02CC22F8), ref: 02CB907B
                                                                      • wsprintfA.USER32 ref: 02CB90E9
                                                                      • CreateFileA.KERNEL32(02CC22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02CB910E
                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02CB9122
                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02CB912D
                                                                      • CloseHandle.KERNEL32(00000000), ref: 02CB9134
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2439722600-0
                                                                      • Opcode ID: c075e56224cbbcbafa56fec906a12e8f8c22893636f8dc905c241f5dec39592d
                                                                      • Instruction ID: d35e4de69991218fa0fc05a41ccb7d9868908adcbe9db2b61d94dabb841d64c1
                                                                      • Opcode Fuzzy Hash: c075e56224cbbcbafa56fec906a12e8f8c22893636f8dc905c241f5dec39592d
                                                                      • Instruction Fuzzy Hash: 4011D6B6A40524BBFB266632DC0DFEF366EDFC4B11F108565FB0AA1144EA704E119FA0
                                                                      Function 02CBDD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CBDD0F
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02CBDD20
                                                                      • GetTickCount.KERNEL32 ref: 02CBDD2E
                                                                      • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,02CBE538,?,75920F10,?,00000000,?,02CBA445), ref: 02CBDD3B
                                                                      • InterlockedExchange.KERNEL32(02CC36B4,00000001), ref: 02CBDD44
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02CBDD53
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 3819781495-0
                                                                      • Opcode ID: b0add324302be83abaf485d9823c299a17cfadd7469699b69033dd7e241be775
                                                                      • Instruction ID: 61881d5017ae6819a45f4305a07801810675dc87342f22352b1e52032074e39b
                                                                      • Opcode Fuzzy Hash: b0add324302be83abaf485d9823c299a17cfadd7469699b69033dd7e241be775
                                                                      • Instruction Fuzzy Hash: C8F0E272984204DFC7817B75F884B6D3BA4FB4532AF214A56E10AC3240C7205465DFB2
                                                                      Function 02CBAD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostname.WS2_32(?,00000080), ref: 02CBAD1C
                                                                      • lstrlenA.KERNEL32(00000000), ref: 02CBAD60
                                                                      • lstrlenA.KERNEL32(00000000), ref: 02CBAD69
                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02CBAD7F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                      • String ID: LocalHost
                                                                      • API String ID: 3695455745-3154191806
                                                                      • Opcode ID: 19e722ac93bc2d9e14d5360775cb1da87056108acceffea2d350a42e0128536e
                                                                      • Instruction ID: 758938926aa9f107139e91854539ad2ef588e400799a31ffd45d20c9a18a0706
                                                                      • Opcode Fuzzy Hash: 19e722ac93bc2d9e14d5360775cb1da87056108acceffea2d350a42e0128536e
                                                                      • Instruction Fuzzy Hash: A9012430C841899DDF334A38D844BF93F7AAFD775AF200156E4C09B115EF24868787A2
                                                                      Function 02CB4280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02CB98FD,00000001,00000100,02CC22F8,02CBA3C7), ref: 02CB4290
                                                                      • CloseHandle.KERNEL32(02CBA3C7), ref: 02CB43AB
                                                                      • CloseHandle.KERNEL32(00000001), ref: 02CB43AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CloseHandle$CreateEvent
                                                                      • String ID:
                                                                      • API String ID: 1371578007-0
                                                                      • Opcode ID: 1a7e5f3d42e5a8d6bf329f9f02178394ba319f8eb67617fbb12d6c3ef9fe58ff
                                                                      • Instruction ID: f984c810c37b181165bf8936ced31ba04a625f48fa634e0d87d8d807a264d6f1
                                                                      • Opcode Fuzzy Hash: 1a7e5f3d42e5a8d6bf329f9f02178394ba319f8eb67617fbb12d6c3ef9fe58ff
                                                                      • Instruction Fuzzy Hash: F241BCB1C44209BADF22ABA1DD89FEFBFBDEF40324F204595F614A2181D7359640DBA0
                                                                      Function 02CB6069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02CB64CF,00000000), ref: 02CB609C
                                                                      • LoadLibraryA.KERNEL32(?,?,02CB64CF,00000000), ref: 02CB60C3
                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 02CB614A
                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02CB619E
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                      • String ID:
                                                                      • API String ID: 2438460464-0
                                                                      • Opcode ID: 1389392ea2bdb40fa02db3bd4a4f86e32d5349d8e58b1609e78e80c47a6a393b
                                                                      • Instruction ID: deaa26e666a521f0812c1876703d1d033d44d64a3b89506aee58b9357b78ed33
                                                                      • Opcode Fuzzy Hash: 1389392ea2bdb40fa02db3bd4a4f86e32d5349d8e58b1609e78e80c47a6a393b
                                                                      • Instruction Fuzzy Hash: D8414871E00205EBDB15CF69CC84BAAB7B9FF54358F288169E815D7391E730EA41CB90
                                                                      Function 02CB2923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 197745c19de072c0100c7e03b4bfe7fb40495d9915afd7f78629df2bb4f1e42d
                                                                      • Instruction ID: 9c51fc2ffe53fc2e0a885a210e20475045f97219f5dd536bd10ead54d727aabe
                                                                      • Opcode Fuzzy Hash: 197745c19de072c0100c7e03b4bfe7fb40495d9915afd7f78629df2bb4f1e42d
                                                                      • Instruction Fuzzy Hash: 9D319F71A40208ABDB229FA5CC81BFEB7F4FF48701F104456E948E7285E374DA41DB55
                                                                      Function 02CB26FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CB272E
                                                                      • htons.WS2_32(00000001), ref: 02CB2752
                                                                      • htons.WS2_32(0000000F), ref: 02CB27D5
                                                                      • htons.WS2_32(00000001), ref: 02CB27E3
                                                                      • sendto.WS2_32(?,02CC2BF8,00000009,00000000,00000010,00000010), ref: 02CB2802
                                                                        • Part of subcall function 02CBEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02CBEBFE,7FFF0001,?,02CBDB55,7FFF0001), ref: 02CBEBD3
                                                                        • Part of subcall function 02CBEBCC: RtlAllocateHeap.NTDLL(00000000,?,02CBDB55,7FFF0001), ref: 02CBEBDA
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                      • String ID:
                                                                      • API String ID: 1128258776-0
                                                                      • Opcode ID: 50eb281a047b8130e50d6173b290b03b95900e5764fee297d9c0a68a0c7acc9c
                                                                      • Instruction ID: a524b734df9521e4979838854d811fd8543f83220d0fd8c8ab7d7dd92fc052ee
                                                                      • Opcode Fuzzy Hash: 50eb281a047b8130e50d6173b290b03b95900e5764fee297d9c0a68a0c7acc9c
                                                                      • Instruction Fuzzy Hash: F4316B38A803829FD7218F74D8A0BA17764EF59318F3A896DDC56CB312D732D492DB16
                                                                      Function 02CB9145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02CC22F8), ref: 02CB915F
                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 02CB9166
                                                                      • CharToOemA.USER32(?,?), ref: 02CB9174
                                                                      • wsprintfA.USER32 ref: 02CB91A9
                                                                        • Part of subcall function 02CB9064: GetTempPathA.KERNEL32(00000400,?,00000000,02CC22F8), ref: 02CB907B
                                                                        • Part of subcall function 02CB9064: wsprintfA.USER32 ref: 02CB90E9
                                                                        • Part of subcall function 02CB9064: CreateFileA.KERNEL32(02CC22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02CB910E
                                                                        • Part of subcall function 02CB9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02CB9122
                                                                        • Part of subcall function 02CB9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02CB912D
                                                                        • Part of subcall function 02CB9064: CloseHandle.KERNEL32(00000000), ref: 02CB9134
                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02CB91E1
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                      • String ID:
                                                                      • API String ID: 3857584221-0
                                                                      • Opcode ID: 9dd0525d3434a8a76b3b3b4c19de882dd07138f20d1821e303b667a781c8e858
                                                                      • Instruction ID: 3eca145fe1ce0b323e2399565880d14b7ef3b49b740fc70225eb2c64fcef92b1
                                                                      • Opcode Fuzzy Hash: 9dd0525d3434a8a76b3b3b4c19de882dd07138f20d1821e303b667a781c8e858
                                                                      • Instruction Fuzzy Hash: 190192F6840158BBDB21A6619C4DFDF777CDB85B01F0001A1FB09E2040D67097858F71
                                                                      Function 02CB2419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02CB2491,?,?,?,02CBE844,-00000030,?,?,?,00000001), ref: 02CB2429
                                                                      • lstrlenA.KERNEL32(?,?,02CB2491,?,?,?,02CBE844,-00000030,?,?,?,00000001,02CB1E3D,00000001,localcfg,lid_file_upd), ref: 02CB243E
                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 02CB2452
                                                                      • lstrlenA.KERNEL32(?,?,02CB2491,?,?,?,02CBE844,-00000030,?,?,?,00000001,02CB1E3D,00000001,localcfg,lid_file_upd), ref: 02CB2467
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrlen$lstrcmpi
                                                                      • String ID: localcfg
                                                                      • API String ID: 1808961391-1857712256
                                                                      • Opcode ID: cde6334ff6d995bebe95a8ca7f9a81a661ab3753912a212669148b1f13bb97d0
                                                                      • Instruction ID: ce043089475ea9813eee850b8e73890359977e64f6c70173d1288aebdfed5da2
                                                                      • Opcode Fuzzy Hash: cde6334ff6d995bebe95a8ca7f9a81a661ab3753912a212669148b1f13bb97d0
                                                                      • Instruction Fuzzy Hash: 62011A31600218EFCF12EF69CC819DE7BA9EF44364B11C826EC5997610E330EA508E91
                                                                      Function 02CB1C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: wsprintf
                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                      • API String ID: 2111968516-120809033
                                                                      • Opcode ID: 3dbdfda8701e6244f89c4e57764859d5ebd67c126a65a46f6597307fb28a17b1
                                                                      • Instruction ID: 3d02178b037a1f8ecd554172fab20bf616cfe674d24101b0f4b298afc76a5244
                                                                      • Opcode Fuzzy Hash: 3dbdfda8701e6244f89c4e57764859d5ebd67c126a65a46f6597307fb28a17b1
                                                                      • Instruction Fuzzy Hash: 46419A729042989FDB22CFB98C54BEE3BED9F49311F280156F9A4D3142D674DA05CBA0
                                                                      Function 02CBE654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CBDD05: GetTickCount.KERNEL32 ref: 02CBDD0F
                                                                        • Part of subcall function 02CBDD05: InterlockedExchange.KERNEL32(02CC36B4,00000001), ref: 02CBDD44
                                                                        • Part of subcall function 02CBDD05: GetCurrentThreadId.KERNEL32 ref: 02CBDD53
                                                                      • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,02CB5EC1), ref: 02CBE693
                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,02CB5EC1), ref: 02CBE6E9
                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,02CB5EC1), ref: 02CBE722
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                      • String ID: 89ABCDEF
                                                                      • API String ID: 3343386518-71641322
                                                                      • Opcode ID: 15835d95059220cfe3d6ce1572d0f7c1c2e22213e1ac42c5b16f681a6cd38545
                                                                      • Instruction ID: 4bca035a7eed4e498b5bab6df235c5dd86a56dc1a65afd2147693025022d01df
                                                                      • Opcode Fuzzy Hash: 15835d95059220cfe3d6ce1572d0f7c1c2e22213e1ac42c5b16f681a6cd38545
                                                                      • Instruction Fuzzy Hash: 8E31BE31A00719DFCB328E65D884BE777E4BF45B24F50492AE99587541E770E980CB91
                                                                      Function 02CBE095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExA.ADVAPI32(80000001,02CBE2A3,00000000,00000000,00000000,00020106,00000000,02CBE2A3,00000000,000000E4), ref: 02CBE0B2
                                                                      • RegSetValueExA.ADVAPI32(02CBE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02CC22F8), ref: 02CBE127
                                                                      • RegDeleteValueA.ADVAPI32(02CBE2A3,?,?,?,?,?,000000C8,02CC22F8), ref: 02CBE158
                                                                      • RegCloseKey.ADVAPI32(02CBE2A3,?,?,?,?,000000C8,02CC22F8,?,?,?,?,?,?,?,?,02CBE2A3), ref: 02CBE161
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Value$CloseCreateDelete
                                                                      • String ID:
                                                                      • API String ID: 2667537340-0
                                                                      • Opcode ID: 0addd76fec9fa205159df822c55cdf9d1ae343920bdd92ab96d9a8892c9ad50f
                                                                      • Instruction ID: 75991e184b2b2db5482ed6c07576a53d844a846e0291bc3305e948e127be6fb4
                                                                      • Opcode Fuzzy Hash: 0addd76fec9fa205159df822c55cdf9d1ae343920bdd92ab96d9a8892c9ad50f
                                                                      • Instruction Fuzzy Hash: 06215C72E00219BBDF219EA5DC89EDF7FB9EF09B60F504161F904E6151E7318A14DBA0
                                                                      Function 02CB3F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(00000000,00000000,02CBA3C7,00000000,00000000,000007D0,00000001), ref: 02CB3FB8
                                                                      • GetLastError.KERNEL32 ref: 02CB3FC2
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02CB3FD3
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CB3FE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                      • String ID:
                                                                      • API String ID: 888215731-0
                                                                      • Opcode ID: 446165683042c0ac4dd63b4a95a95799f90644dcdc4e6c65d2f2335b6811a943
                                                                      • Instruction ID: 97a224f2cf9b19421323529414ead5156a89f8f4122d00c9929fa0c0a87e28dc
                                                                      • Opcode Fuzzy Hash: 446165683042c0ac4dd63b4a95a95799f90644dcdc4e6c65d2f2335b6811a943
                                                                      • Instruction Fuzzy Hash: 0B01D77291110AABDF12DF94DD49BEE7B7CEF04355F104491F902E2040D7719A648BA2
                                                                      Function 02CB3F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNEL32(00000000,00000000,02CBA3C7,00000000,00000000,000007D0,00000001), ref: 02CB3F44
                                                                      • GetLastError.KERNEL32 ref: 02CB3F4E
                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 02CB3F5F
                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02CB3F72
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                      • String ID:
                                                                      • API String ID: 3373104450-0
                                                                      • Opcode ID: 70362fc9c8473a018c5993f278913f92fd3c1edac55d4f1204db16af92d46b81
                                                                      • Instruction ID: 8dbd384e0aed1dabf1bf4d0f5bc9a202a044a8c096d096c280bc3e8bb4c82d54
                                                                      • Opcode Fuzzy Hash: 70362fc9c8473a018c5993f278913f92fd3c1edac55d4f1204db16af92d46b81
                                                                      • Instruction Fuzzy Hash: 7401D072911149EBDB02DE90E988BEE7BBCEF04366F1045A5FA01E2040D7319A248BA2
                                                                      Function 02CB4E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CB4E9E
                                                                      • GetTickCount.KERNEL32 ref: 02CB4EAD
                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 02CB4EBA
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02CB4EC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 5438beaec442f01d2a28cac616b878f52ca36b57622b68bb0ac14f4b6e3642d9
                                                                      • Instruction ID: 50aba088aa61aaee8824b4b76f447ebc6558aad2adfb3093c5d7e3f72da0f915
                                                                      • Opcode Fuzzy Hash: 5438beaec442f01d2a28cac616b878f52ca36b57622b68bb0ac14f4b6e3642d9
                                                                      • Instruction Fuzzy Hash: 4EE07D3774424497D62022BAAC80F97B3499F86370F120A32F708C2142C657D45241F1
                                                                      Function 02CB4BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CB4BDD
                                                                      • GetTickCount.KERNEL32 ref: 02CB4BEC
                                                                      • Sleep.KERNEL32(00000000,?,?,?,0301B114,02CB50F2), ref: 02CB4BF9
                                                                      • InterlockedExchange.KERNEL32(0301B108,00000001), ref: 02CB4C02
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: d047556c412b60e9e5cd329ea82ee2ad3c29c233f592e861151ac2181dbf8cf6
                                                                      • Instruction ID: ab679ff3144242497f02def6924d22fc188003749fba8ed1486b57cdaf2b75a6
                                                                      • Opcode Fuzzy Hash: d047556c412b60e9e5cd329ea82ee2ad3c29c233f592e861151ac2181dbf8cf6
                                                                      • Instruction Fuzzy Hash: A6E0CD3768561497CB2016B65C80FE6775CDF85772F170972F708D2141C556945141F5
                                                                      Function 02CBA4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CBA4D1
                                                                      • GetTickCount.KERNEL32 ref: 02CBA4E4
                                                                      • Sleep.KERNEL32(00000000,?,02CBC2E9,02CBC4E0,00000000,localcfg,?,02CBC4E0,02CC3588,02CB8810), ref: 02CBA4F1
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02CBA4FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: 9acf606f8f21ec8034b7f107c4956c7ab8489f36695c78e52c5fe2866d8a2bc4
                                                                      • Instruction ID: fc606c08273d0b148612324c86cb861252d9f974f48bfa7d8815e6eb1548f7b0
                                                                      • Opcode Fuzzy Hash: 9acf606f8f21ec8034b7f107c4956c7ab8489f36695c78e52c5fe2866d8a2bc4
                                                                      • Instruction Fuzzy Hash: 89E07D33240204A7CB0117A6AC84FEE3388EF8D771F130521FF48D3140C617A55185F2
                                                                      Function 02CB30FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 02CB3103
                                                                      • GetTickCount.KERNEL32 ref: 02CB310F
                                                                      • Sleep.KERNEL32(00000000), ref: 02CB311C
                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 02CB3128
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                      • String ID:
                                                                      • API String ID: 2207858713-0
                                                                      • Opcode ID: f136d8743b0ee9a09e09c0556ff893698fbceb905992e24aeca2a86219d48f14
                                                                      • Instruction ID: a9126b957396c4928c4784d43be0fc1e1c977cf730a9b146fc18ee7f16e791c4
                                                                      • Opcode Fuzzy Hash: f136d8743b0ee9a09e09c0556ff893698fbceb905992e24aeca2a86219d48f14
                                                                      • Instruction Fuzzy Hash: 5BE02B31740215EFDB006B76AD45FC97B6EDFC4771F120872F201D3090C6504C1089B1
                                                                      Function 02CB8CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTick
                                                                      • String ID: localcfg
                                                                      • API String ID: 536389180-1857712256
                                                                      • Opcode ID: 4faf23d74714d71d218e9eb8cbacf39fd6809becea464d741827cba6ca25977f
                                                                      • Instruction ID: 4fd8515486468ba77c5ab856cf8281e22149432ca217db868c81dc6e6d9fde22
                                                                      • Opcode Fuzzy Hash: 4faf23d74714d71d218e9eb8cbacf39fd6809becea464d741827cba6ca25977f
                                                                      • Instruction Fuzzy Hash: 4121D232A10516AFDB118F74D8806DABBBEEF60615F39079BD801D7101CB34EA40CB50
                                                                      Function 02CBBFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02CBC057
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CountTickwsprintf
                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                      • API String ID: 2424974917-1012700906
                                                                      • Opcode ID: c7da1a8a7a24a3d6277771431fbabc1041b98b4c2757ebfca8aef9ad5893996a
                                                                      • Instruction ID: 1e3050edbc2be683c8872bf34cb6641f4627a490bf57c26ed067d676260c3c09
                                                                      • Opcode Fuzzy Hash: c7da1a8a7a24a3d6277771431fbabc1041b98b4c2757ebfca8aef9ad5893996a
                                                                      • Instruction Fuzzy Hash: 21119772500100FFDB429AA9CD48E567FA6FF88328B34819CF6188E126D633D863EB50
                                                                      Function 02CB38F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CB30FA: GetTickCount.KERNEL32 ref: 02CB3103
                                                                        • Part of subcall function 02CB30FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02CB3128
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02CB3929
                                                                      • GetCurrentThreadId.KERNEL32 ref: 02CB3939
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 3716169038-2903620461
                                                                      • Opcode ID: bb0da020d7e55f6bc7f97696af158d5f6e94b522d1b700588b25ff8678bedce9
                                                                      • Instruction ID: 95702af9a6eb07e399e0318d0a32781a6a2f61d91bbe0e5e4d51b00bed8971ff
                                                                      • Opcode Fuzzy Hash: bb0da020d7e55f6bc7f97696af158d5f6e94b522d1b700588b25ff8678bedce9
                                                                      • Instruction Fuzzy Hash: F2114671D40244EFE722DF19D480A98F3F5FF08716F208A9EE85197280C770AA81DFA1
                                                                      Function 02CBAB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,02CBBD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 02CBABB9
                                                                      • InterlockedIncrement.KERNEL32(02CC3640), ref: 02CBABE1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                      • String ID: %FROM_EMAIL
                                                                      • API String ID: 224340156-2903620461
                                                                      • Opcode ID: 3d0ffbc68a5ae6e9c4b83989dde23ea19d1ad553d35f5daa357d3455a2f1847c
                                                                      • Instruction ID: 7a1ff20d764242e712ade3eda8a88c0c229ccb799c3b9915be942742fab1e1a0
                                                                      • Opcode Fuzzy Hash: 3d0ffbc68a5ae6e9c4b83989dde23ea19d1ad553d35f5daa357d3455a2f1847c
                                                                      • Instruction Fuzzy Hash: 65015A319482C4AFEB12CE19D881F967BAABF55254F254899E5D08B202C3B1E684CBA1
                                                                      Function 02CB26B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02CB26C3
                                                                      • inet_ntoa.WS2_32(?), ref: 02CB26E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                      • String ID: localcfg
                                                                      • API String ID: 2112563974-1857712256
                                                                      • Opcode ID: 6a8425f32f89414f0342c2597e353538970fc4e6ddd08f114b724ef08ff51ca6
                                                                      • Instruction ID: 51869b7df2d31c606ae5195b5188181d737a0b890b45fd703ea6f02eef0d03f9
                                                                      • Opcode Fuzzy Hash: 6a8425f32f89414f0342c2597e353538970fc4e6ddd08f114b724ef08ff51ca6
                                                                      • Instruction Fuzzy Hash: 52F03732598209BFEF056FB4EC05BEA379DDF05650F144425FD08DA090DB71D950D799
                                                                      Function 02CBEAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,02CBEB54,_alldiv,02CBF0B7,80000001,00000000,00989680,00000000,?,?,?,02CBE342,00000000,7508EA50,80000001,00000000), ref: 02CBEAF2
                                                                      • GetProcAddress.KERNEL32(76E80000,00000000), ref: 02CBEB07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: ntdll.dll
                                                                      • API String ID: 2574300362-2227199552
                                                                      • Opcode ID: 61acc11cfb4ab93c886c0dc386deddd3525b277323e49ca2209beeeefad447c4
                                                                      • Instruction ID: c72c3dd8bc51e7911a1e7a32f54218dd233cb44e799b937ee3df0b2b59b26417
                                                                      • Opcode Fuzzy Hash: 61acc11cfb4ab93c886c0dc386deddd3525b277323e49ca2209beeeefad447c4
                                                                      • Instruction Fuzzy Hash: 5FD0C934A903429B9F135F65AE0AB8576ECBB84B11BA08959E41AD2202E730D424DA08
                                                                      Function 02CB2F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 02CB2D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02CB2F01,?,02CB20FF,02CC2000), ref: 02CB2D3A
                                                                        • Part of subcall function 02CB2D21: LoadLibraryA.KERNEL32(?), ref: 02CB2D4A
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02CB2F73
                                                                      • HeapFree.KERNEL32(00000000), ref: 02CB2F7A
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.3242409275.0000000002CB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: true
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_2cb0000_svchost.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                      • String ID:
                                                                      • API String ID: 1017166417-0
                                                                      • Opcode ID: cc7e9ff9bcc700a3cabc7c1fad2c582696bc43ab2974f1cd7957661e96daf4f7
                                                                      • Instruction ID: 623bbf3a5ac2cf4d3c14a32f2f0765676122b57390aac8c2762ce1c79edecc34
                                                                      • Opcode Fuzzy Hash: cc7e9ff9bcc700a3cabc7c1fad2c582696bc43ab2974f1cd7957661e96daf4f7
                                                                      • Instruction Fuzzy Hash: 51517D7590029ADFDF029F64D888AFABB79FF05304F1445A9EC96D7210E7329A19CB90